Java 23, the latest release in the Java Development Kit (JDK) series, introduces a variety of new features, including security enhancements alongside performance upgrades. Among its twelve official features, the update brings improvements to cryptography, Kerberos, and the Public Key Infrastructure (PKI). These enhancements aim to bolster the overall security of Java applications while refining key cryptographic operations.
One notable improvement in Java 23 is within the javax.crypto package, where the buffer size of CipherInputStream has been expanded from 512 bytes to 8,192 bytes. This change aligns it with the buffer sizes used in other APIs like java.io.FileInputStream, ensuring better performance and efficiency. Additionally, the process of generating a SecureRandom object has been optimized, reducing overhead when constructing new instances. Furthermore, a new PKCS11 configuration attribute, allowLegacy, was introduced. By setting it to true, applications can bypass certain legacy security checks, with the default value remaining false for stricter compliance.
Enhancements to Java’s PKI framework include the addition of new root Certificate Authority (CA) certificates to the cacerts keystore. Notably, root certificates from Certainly and GlobalSign have been integrated, improving Java’s ability to establish trust in secure connections. Another key update comes for macOS users, with the introduction of a new KeychainStore-ROOT keystore in Apple’s security provider. This keystore allows Java applications to access system-level root certificates, resolving previous issues where missing root certificates caused HTTP connection failures.
Kerberos authentication has also received important refinements. A new security property, jdk.security.krb5.name.case.sensitive, now enables case-sensitive lookups for Kerberos principal names in keytab and credential cache files, offering more control over authentication behaviors. Additionally, debugging output for the Kerberos module has been redirected from standard output to standard error, improving logging efficiency and making error tracking more manageable. These refinements collectively strengthen Java 23’s security posture while improving usability for developers.