JDK 22 Security Enhancements

JDK 22 was released on March 19, 2024! As with my previous blogs, I have compiled a list of what I think are the most interesting and useful security enhancements in this release. I have also grouped them into appropriate categories (crypto, TLS, etc) which should make it easier to find out what has changed in each specific area. The JDK 22 release notes also contain further details on these and other enhancements.

Highlights of this release include a new security category for the java -XshowSettings option and several new root CA certificates.

Table of Contents

1. Crypto
2. PKI
3. TLS
4. XML Signature
5. Tools

Crypto

• New java.security.AsymmetricKey interface

  A new standard interface named java.security.AsymmetricKey has been added. AsymmetricKey is a subinterface of java.security.Key and represents an asymmetric key, which can either be a private or public key. The existing java.security.PublicKey and java.security.PrivateKey classes have been retrofitted to be subinterfaces of AsymmetricKey.

  The AsymmetricKey interface provides a default implementation of the getParams method which returns null.

  All asymmetric key subclasses now have a getParams method. This has two primary benefits:

  • Application code can retrieve parameters from a public or private key without using instanceof to first determine the subclass.
  • Many asymmetric algorithm parameters can be represented using the existing NamedParameterSpec subclass. As future asymmetric algorithms are introduced, the AsymmetricKey interface will allow earlier versions of Java SE to more easily support new asymmetric algorithms that can represent their parameters as a NamedParameterSpec, thus avoiding the need to introduce new algorithm-specific AlgorithmParameterSpec APIs.

  Issue: JDK-8318096

• The jdk.crypto.ec module has been subsumed into java.base

  The jdk.crypto.ec module is now deprecated with the intent to eventually remove it. All of the code in the jdk.crypto.ec module has been moved into the java.base module. This includes the SunEC security provider. The jdk.crypto.ec module still exists, but it is now empty.

  This change will make it easier for users to deploy applications that depend on elliptic curve cryptographic algorithms.

  Issue: JDK-8308398

PKI

• New root CA certificates

  Several new root CA certificates have been added to the cacerts keystore:

  • Three eMudhra Technologies root CA certificates
    • emSign Root CA - G1 has the following distinguished name:
      CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
    • emSign Root CA - G2 has the following distinguished name:
      CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
    • emSign ECC Root CA - G3 has the following distinguished name:
      CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

    Issue: JDK-8319187

  • Four DigiCert root CA certificates
    • DigiCert TLS RSA4096 Root G5 has the following distinguished name:
      CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
    • DigiCert TLS ECC P384 Root G5 has the following distinguished name:
      CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
    • DigiCert CS RSA4096 Root G5 has the following distinguished name:
      CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
    • DigiCert CS ECC P384 Root G5 has the following distinguished name:
      CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

    Issue: JDK-8318759

  • Let’s Encrypt ISRG Root X2 has the following distinguished name:
    CN=ISRG Root X2, O=Internet Security Research Group, C=US

    Issue: JDK-8317374

  • Telia Root CA v2 has the following distinguished name:
    CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI

    Issue: JDK-8317373

  • Certigna Root CA has the following distinguished name:
    CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

    Issue: JDK-8314960

Each of these root certificates have also been added to the cacerts keystore in Oracle’s JDK 21.0.2, 17.0.10, 11.0.22, 8u401, and 7u411 releases.

TLS

• Additional system properties to control maximum length of client and server certificate chains

  Additional system properties named jdk.tls.client.maxInboundCertificateChainLength and jdk.tls.server.maxInboundCertificateChainLength have been added to allow users to control the maximum length of TLS server and client certificate chains. These properties provide flexibility by having separate properties for client and server configurations.

  On the client side, a user would set jdk.tls.client.maxInboundCertificateChainLength to an integer value if they want to control the maximum size of a server’s certificate chain, for example:

  ---

  $ java -Djdk.tls.client.maxInboundCertificateChainLength=7 ... <rest of command line>
  

  ---

  On the server side, a user would set jdk.tls.server.maxInboundCertificateChainLength to an integer value if they want to control the maximum size of a client’s certificate chain, for example:

  ---

  $ java -Djdk.tls.server.maxInboundCertificateChainLength=5 ... <rest of command line>
  

  ---

  These properties, if set, override the existing jdk.tls.maxCertificateChainLength system property. If properties are not set, a default of 10 is used for server certificate chains, and 8 for client certificate chains.

  Issue: JDK-8311596

XML Signature

• Support for SHA-3 based RSA signature algorithms

  The JDK XML Signature implementation now supports XML signatures signed with RSA signature algorithms with SHA-3 digests.

  Four new standard SignatureMethod URIs have also been added:

  • SignatureMethod.SHA3_224_RSA_MGF1: the RSA signature algorithm with SHA3-224 and MGF1.
  • SignatureMethod.SHA3_256_RSA_MGF1: the RSA signature algorithm with SHA3-256 and MGF1.
  • SignatureMethod.SHA3_384_RSA_MGF1: the RSA signature algorithm with SHA3-384 and MGF1.
  • SignatureMethod.SHA3_512_RSA_MGF1: the RSA signature algorithm with SHA3-512 and MGF1.

  Issue: JDK-8319124

Tools

• keytool and jarsigner support for the HSS/LMS signature algorithm

  In JDK 21, we added JCE support for the HSS/LMS signature algorithm (see my JDK 21 blog for more details). In this release, we have extended that functionality by also adding HSS/LMS support to the jarsigner and keytool utilities.

  jarsigner now supports signing and verifying JAR files with the HSS/LMS algorithm. keytool now supports generating HSS/LMS public keypairs.

  Note that the JDK only supports HSS/LMS signature verification, so in order to sign JAR files with HSS/LMS, you will need to use a 3rd party provider that supports signing. Similarly, in order to generate key pairs you will also need to use a 3rd party provider that supports generation of HSS/LMS keypairs.

  An example of generating an HSS/LMS keypair with keytool is as follows:

  ---

  $ keytool -genkeypair -alias Duke -dname CN="Duke" -keystore <keystore> -keyalg HSS/LMS \
    -groupname LMS_SHA256_M24_H5,LMOTS_SHA256_N24_W1,LMS_SHA256_M24_H5,LMOTS_SHA256_N24_W1
  

  ---

  This will generate an HSS/LMS keypair with the specified group names. You may also need to specify additional options to specify the third party JCE provider that supports HSS/LMS keypair generation.

  An example of signing a JAR with HSS/LMS with jarsigner is as follows:

  ---

  $ jarsigner -keystore <keystore> -sigalg HSS/LMS <jarfile> Duke
  

  ---

  This will sign a JAR file with the HSS/LMS signature algorithm using the private key stored in the specified keystore with an alias name of “Duke”. You may also need to specify additional options to specify the third party JCE provider that supports HSS/LMS signing. Also, note that it isn’t necessary to specify the -sigalg option as it will by default be determined based on the private key’s algorithm.

  Issue: JDK-8302233

• New security category for the java -XshowSettings option

  The java -XshowSettings option can be used to print useful information about the current JDK configuration, such as system properties, VM settings, and more. In JDK 22, this option has been enhanced to show details about security related settings. The syntax of the new option is as follows:

  • -XshowSetttings:security will show all security settings.
  • -XshowSetttings:security:properties will show the values of security properties.
  • -XshowSetttings:security:providers will show the installed security providers and their supported algorithms.
  • -XshowSetttings:security:tls will show the enabled TLS protocols and cipher suites.

  Here are sample runs showing each of these options:

  ---

  $ java -XshowSettings:security:properties
  Security properties:
      crypto.policy=unlimited
      http.auth.digest.disabledAlgorithms=MD5, SHA-1
      jceks.key.serialFilter=
          java.base/java.lang.Enum;
          java.base/java.security.KeyRep;
          java.base/java.security.KeyRep$Type;
          java.base/javax.crypto.spec.SecretKeySpec;
          !*
      jdk.certpath.disabledAlgorithms=
          MD2,
          MD5,
          SHA1 jdkCA & usage TLSServer,
          RSA keySize < 1024,
          DSA keySize < 1024,
          EC keySize < 224,
          SHA1 usage SignedJAR & denyAfter 2019-01-01
      jdk.io.permissionsUseCanonicalPath=false
      jdk.jar.disabledAlgorithms=
          MD2,
          MD5,
          RSA keySize < 1024,
          DSA keySize < 1024,
          SHA1 denyAfter 2019-01-01
      jdk.sasl.disabledMechanisms=
      jdk.security.caDistrustPolicies=SYMANTEC_TLS
      jdk.security.legacyAlgorithms=
          SHA1,
          RSA keySize < 2048,
          DSA keySize < 2048,
          DES,
          DESede,
          MD5,
          RC2,
          ARCFOUR
      jdk.tls.alpnCharset=ISO_8859_1
      jdk.tls.disabledAlgorithms=
          SSLv3,
          TLSv1,
          TLSv1.1,
          DTLSv1.0,
          RC4,
          DES,
          MD5withRSA,
          DH keySize < 1024,
          EC keySize < 224,
          3DES_EDE_CBC,
          anon,
          NULL,
          ECDH
  <remaining output snipped>
  

    $ java -XshowSettings:security:providers
    Security provider static configuration: (in order of preference)
        ----------------------------------------
        Provider name: SUN
        Provider information: SUN (DSA key/parameter generation; DSA signing;
            SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS &
            DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP,
            Collection CertStores, JavaPolicy Policy; JavaLoginConfig
            Configuration)
        Provider services: (type : algorithm)
            AlgorithmParameterGenerator.DSA
              aliases: [OID.1.2.840.10040.4.1, 1.3.14.3.2.12, 1.2.840.10040.4.1]
            AlgorithmParameters.DSA
              aliases: [OID.1.2.840.10040.4.1, 1.3.14.3.2.12, 1.2.840.10040.4.1]
            CertPathBuilder.PKIX
            CertPathValidator.PKIX
            CertStore.Collection
            CertStore.com.sun.security.IndexedCollection
            CertificateFactory.X.509
              aliases: [X509]
            Configuration.JavaLoginConfig
            KeyFactory.DSA
              aliases: [1.3.14.3.2.12, 1.2.840.10040.4.1, OID.1.2.840.10040.4.1]
            KeyFactory.HSS/LMS
              aliases: [OID.1.2.840.113549.1.9.16.3.17,
                1.2.840.113549.1.9.16.3.17]
            KeyPairGenerator.DSA
              aliases: [1.2.840.10040.4.1, OID.1.2.840.10040.4.1, 1.3.14.3.2.12]
            KeyStore.CaseExactJKS
            KeyStore.DKS
            KeyStore.JKS
            KeyStore.PKCS12
            MessageDigest.MD2
              aliases: [OID.1.2.840.113549.2.2, 1.2.840.113549.2.2]
            MessageDigest.MD5 
              aliases: [OID.1.2.840.113549.2.5, 1.2.840.113549.2.5]
            MessageDigest.SHA-1
              aliases: [SHA1, SHA, 1.3.14.3.2.26, OID.1.3.14.3.2.26]
            MessageDigest.SHA-224
              aliases: [OID.2.16.840.1.101.3.4.2.4, SHA224,
                2.16.840.1.101.3.4.2.4]
            MessageDigest.SHA-256
              aliases: [SHA256, OID.2.16.840.1.101.3.4.2.1,
                2.16.840.1.101.3.4.2.1]
            MessageDigest.SHA-384
              aliases: [OID.2.16.840.1.101.3.4.2.2, SHA384,
                2.16.840.1.101.3.4.2.2]
            MessageDigest.SHA-512
              aliases: [OID.2.16.840.1.101.3.4.2.3, 2.16.840.1.101.3.4.2.3,
                SHA512]
            MessageDigest.SHA-512/224
              aliases: [SHA512/224, OID.2.16.840.1.101.3.4.2.5,
                2.16.840.1.101.3.4.2.5]
            MessageDigest.SHA-512/256
              aliases: [SHA512/256, OID.2.16.840.1.101.3.4.2.6,
                2.16.840.1.101.3.4.2.6]
            MessageDigest.SHA3-224
              aliases: [OID.2.16.840.1.101.3.4.2.7, 2.16.840.1.101.3.4.2.7]
            MessageDigest.SHA3-256
              aliases: [OID.2.16.840.1.101.3.4.2.8, 2.16.840.1.101.3.4.2.8]
            MessageDigest.SHA3-384
              aliases: [OID.2.16.840.1.101.3.4.2.9, 2.16.840.1.101.3.4.2.9]
            MessageDigest.SHA3-512
              aliases: [2.16.840.1.101.3.4.2.10, OID.2.16.840.1.101.3.4.2.10]
            SecureRandom.DRBG
            SecureRandom.NativePRNG
            SecureRandom.NativePRNGBlocking
            SecureRandom.NativePRNGNonBlocking
            SecureRandom.SHA1PRNG
            Signature.HSS/LMS
              aliases: [1.2.840.113549.1.9.16.3.17,
                OID.1.2.840.113549.1.9.16.3.17]
            Signature.NONEwithDSA
              aliases: [RawDSA]
            Signature.NONEwithDSAinP1363Format
            Signature.SHA1withDSA
              aliases: [DSS, 1.3.14.3.2.13, OID.1.2.840.10040.4.3, SHA1/DSA, DSA,
                SHA-1/DSA, SHAwithDSA, DSAWithSHA1, SHA/DSA, 1.2.840.10040.4.3,
                1.3.14.3.2.27]
            Signature.SHA1withDSAinP1363Format
            Signature.SHA224withDSA
              aliases: [2.16.840.1.101.3.4.3.1, OID.2.16.840.1.101.3.4.3.1]
            Signature.SHA224withDSAinP1363Format
            Signature.SHA256withDSA
              aliases: [2.16.840.1.101.3.4.3.2, OID.2.16.840.1.101.3.4.3.2]
            Signature.SHA256withDSAinP1363Format
            Signature.SHA3-224withDSA
              aliases: [2.16.840.1.101.3.4.3.5, OID.2.16.840.1.101.3.4.3.5]
            Signature.SHA3-224withDSAinP1363Format
            Signature.SHA3-256withDSA
              aliases: [2.16.840.1.101.3.4.3.6, OID.2.16.840.1.101.3.4.3.6]
            Signature.SHA3-256withDSAinP1363Format
            Signature.SHA3-384withDSA
              aliases: [2.16.840.1.101.3.4.3.7, OID.2.16.840.1.101.3.4.3.7]
            Signature.SHA3-384withDSAinP1363Format
            Signature.SHA3-512withDSA
              aliases: [2.16.840.1.101.3.4.3.8, OID.2.16.840.1.101.3.4.3.8]
            Signature.SHA3-512withDSAinP1363Format
            Signature.SHA384withDSA
              aliases: [2.16.840.1.101.3.4.3.3, OID.2.16.840.1.101.3.4.3.3]
            Signature.SHA384withDSAinP1363Format
            Signature.SHA512withDSA
              aliases: [2.16.840.1.101.3.4.3.4, OID.2.16.840.1.101.3.4.3.4]
            Signature.SHA512withDSAinP1363Format
    <remaining output snipped>

---
---
    $ java -XshowSettings:security:tls
    Security TLS configuration (SunJSSE provider):
        Enabled Protocols:
            TLSv1.3
            TLSv1.2

        Enabled Cipher Suites:
            TLS_AES_256_GCM_SHA384
            TLS_AES_128_GCM_SHA256
            TLS_CHACHA20_POLY1305_SHA256
            TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
            TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
            TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
            TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
            TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
            TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
            TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
            TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
            TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
            TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
            TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
            TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
            TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
            TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA
            TLS_DHE_DSS_WITH_AES_256_CBC_SHA
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA
            TLS_DHE_DSS_WITH_AES_128_CBC_SHA
            TLS_RSA_WITH_AES_256_GCM_SHA384
            TLS_RSA_WITH_AES_128_GCM_SHA256
            TLS_RSA_WITH_AES_256_CBC_SHA256
            TLS_RSA_WITH_AES_128_CBC_SHA256
            TLS_RSA_WITH_AES_256_CBC_SHA
            TLS_RSA_WITH_AES_128_CBC_SHA
            TLS_EMPTY_RENEGOTIATION_INFO_SCSV

--- 

Issue: [JDK-8281658](https://bugs.openjdk.org/browse/JDK-8281658)