While the recently released Java 23 features a dozen official features ranging from a second class-file API preview to an eighth incubator of a vector API, it also comes with various security capabilities. Security enhancements include crypto performance updates and additions to Kerberos and PKI.
JDK 23 was released on September 17. A same-day Java Security Blog post from Sean Mullan, technical lead of the Java security libraries team at Oracle, lists JDK 23 security capabilities. Mullan did a similar list for JDK 22 in March. For javax.crypto
, the CipherInputStream
buffer size was increased from 512 bytes to 8,192 bytes. This can improve performance and is more consistent with buffer sizes for other APIs such as java.io.FileInputStream
. Also, the performance of constructing a java.security.SecureRandom
object via new SecureRandom()
was improved. Also for the crypto API, a new PKS11 configuration attribute named allowLegacy
was introduced. Applications can set this value to “true” to bypass legacy checks. The default value is “false.”
In the PKI realm, new root CA certificates were added to the cacerts keystore, including CN=Certainly Root R1, 0=Certainly, C=US
and CN=Certainly Root E1, O=Certainly, C=US
. Also featured are two new GlobalSign root certificates, including CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
and CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
. Additionally, a new javasecurity.Keystore
named KeychainStore-ROOT
was added to the Apple security provider. This keystore contains root certificates stored in the system keychain on macOS systems. The Apple provider now supports two keystores: KeychainStore-Root
and the existing KeychainStore
that contains private keys and certificates for the user’s keychain. This enhancement fixes issues that caused HTTP’s connections to fail because the JDK was unable to find a root certificate to establish trust in the peer’s certificate chain.