25 Mar

Java 22 Introduces Enhanced Security Features

    With the release of JDK 22, Oracle brings forth a series of security enhancements aimed at bolstering the integrity of standard Java. These upgrades span various aspects, including the addition of new root CA certificates, an enhanced asymmetric key interface, and a -XshowSettings option tailored to display security configurations effortlessly.

    Sean Mullan, the technical lead of the Java Security libraries team and head of the OpenJDK Security Group, delves into the details of these security improvements in a blog post dated March 20 on Oracle’s inside.java platform.

    The -XshowSettings option, a utility used to print system settings and relevant information concerning the current JDK setup, has received upgrades to facilitate the display of security-related configurations. The addition of -XshowSettings:security allows developers to access comprehensive insights into security settings. Sub-options enable the display of security property values, installed security providers with their supported algorithms, or enabled TLS protocols and cipher suites.

    In the realm of cryptography, JDK 22 introduces a new standard interface, java.security.AsymmetricKey, designed to represent asymmetric keys, whether private or public. This interface, a subinterface of java.security.Key, serves as a foundation for future asymmetric algorithms. By retrofitting existing classes like java.security.PublicKey and java.security.PrivateKey as subinterfaces of AsymmetricKey, earlier versions of Java SE can seamlessly adapt to new asymmetric algorithms.

    Furthermore, the deprecation of the jdk.crypto.ec module, with plans for eventual removal, marks a significant shift. All code from the jdk.crypto.ec module has been migrated to the java.base module, including the SunEC security provider. While the jdk.crypto.ec module remains, it is now empty. This restructuring streamlines the deployment process for applications reliant on elliptic curve cryptographic algorithms.

    In the realm of public key infrastructure (PKI), JDK 22 incorporates ten new root CA certificates into the cacerts keystore. These additions include certificates from notable authorities like eMudhra Technologies, DigiCert, Let’s Encrypt, Telia, and Certigna.

    Additional properties have been introduced for TLS to govern the maximum length of client and server certificate chains. Moreover, the JDK implementation now supports XML signatures signed with RSA signature algorithms utilizing SHA-3 digests.

    Expanding the Java Cryptography Extension (JCE) support, JDK 22 integrates functionality for the HSS/LMS signature algorithm. This includes support for HSS/LMS signatures in jarsigner and keytool utilities. While jarsigner now facilitates signing and verifying JAR files with the HSS/LMS algorithm, keytool enables the generation of HSS/LMS public key pairs. It’s worth noting that JDK solely supports HSS/LMS signature verification, necessitating third-party providers for JAR file signing.

    Share this