JDK 22 Adds Root CA Certificates, Asymmetric Key Interface, and -XshowSettings Option
Java Development Kit (JDK) 22, released by Oracle on March 19 as the latest version of standard Java, offers a number of security enhancements, covering areas ranging from an asymmetric key interface to a new security option for -XshowSettings that allows developers to easily display security-related settings.
In a March 20 blog post on Oracle’s inside.java web page, Sean Mullan, technical lead of the Java Security libraries team and lead of the OpenJDK Security Group, detailed the security enhancements in JDK 22.
The java -Xshowsettings option, which can be used to print system settings and other useful information about the current JDK configuration, has been enhanced to show details about security-related settings. -Xshowsettings
will show all security settings. Sub-options allow you to display the values of security properties, the installed security providers and their supported algorithms, or the enabled TLS protocols and cipher suites.
For cryptography, a new standard interface, java.security.AsymmetricKey, has been added. It is a subinterface of java.security.Key and represents an asymmetric key, which can either be private or public. Existing java.security.PublicKey and java.security.PrivateKey classes have been retrofitted to be subinterfaces of AsymmetricKey. As future asymmetric algorithms are introduced, the AsymmetricKey interface will allow earlier versions of Java SE to more easily support new asymmetric algorithms representing parameters as a NamedParameterSpec, Mullan said.
Also, the jdk.crypto.ec module has been deprecated, with the intent to eventually remove it. All code from the jdk.crypto.ec module has been moved to the java.base module, including the SunEC security provider. The jdk.crypto.ec module is now empty but still exists. This change will make it easier to deploy applications depending on elliptic curve cryptographic algorithms.
For PKI (public key infrastructure), 10 new root CA certificates have been added to the cacerts keystore, including three eMudhra Technologies root CA certificates, four DigiCert root CA certificates, and one each from Let’s Encrypt, Telia, and Certigna.
For TLS (Transport Layer Security), additional properties were added to control the maximum length of client and server certificate chains. And for XML signatures, the JDK implementation now supports XML signatures signed with RSA signature algorithms with SHA-3 digests.
JDK 22 extends functionality for JCE (Java Cryptography Extension) support for the HSS/LMS signature algorithm, adding HSS/LMS support to jarsigner and keytool utilities. Also, jarsigner now supports signing and verifying JAR files with the HSS/LMS algorithm while keytool now supports generation of HSS/LMS public key pairs. However, JDK only supports HSS/LMS signature verification. Developers will need a third-party provider to sign JAR files with HSS/LMS.