JEP 470: PEM Encodings of Cryptographic Objects (Preview) has been targeted to JDK 25 - https://openjdk.org/jeps/470
This is a Preview API, so we have time to make changes. Let us know if the API is easy to use and satisfies your use cases.
Sean Mullan
Java Security Tech Lead at Oracle. Lead of OpenJDK Security Group. Views are my own. He/Him.
JEP: 510: Key Derivation Function API has been targeted to JDK 25 - https://openjdk.org/jeps/510
This was a Preview API in JDK 24, and JDK 25 will contain the final, or permanent version of the API.
PEM Encodings of Cryptographic Objects (Preview) is now a Candidate JEP - https://openjdk.org/jeps/470
This is a new API for encoding and decoding Java objects to and from the PEM format.
JEP: 510: Key Derivation Function API is now a Candidate - https://openjdk.org/jeps/510
This was a Preview API in JDK 24, and we are now proposing to finalize the API.
JDK 24 Security Enhancements: https://seanjmullan.org/blog/2025/04/07/jdk24
Highlights of this release include 2 new core quantum-resistant cryptographic algorithms (ML-KEM and ML-DSA), a preview API for Key Derivation Functions, and the permanent disabling of the Security Manager.
#JavaOne is 5 days away! Don’t miss out on attending the conference that started it all! Network with #Java experts from #Oracle and the community. Register now: https://javaone.com
Sean Mullan boosted:
Targeted to JDK 24: JEP 496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism: https://openjdk.org/jeps/496 #jdk24 #openjdk #java
Sean Mullan boosted:
Targeted to JDK 24: JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm: https://openjdk.org/jeps/497 #jdk24 #openjdk #java
New Candidate JEPs for adding Quantum-Resistant Cryptographic Algorithms to the Java Platform:
- ML-KEM: https://openjdk.org/jeps/496
- ML-DSA: https://openjdk.org/jeps/497
Sean Mullan boosted:
Proposed to target JDK 24: JEP 486: Permanently Disable the Security Manager: https://openjdk.org/jeps/486 #jdk24 #openjdk #java
JEP 478 (Key Derivation Function API) has been targeted to JDK 24, the next release of the JDK. This is a new cryptographic API for deriving keys. The JEP also includes an implementation of HKDF (RFC 5869). This API will be important for future PQC work such as HPKE (RFC 9180) and stronger password hashing algorithms such as Argon2.
Sean Mullan boosted:
Proposed to target JDK 24: JEP 478: Key Derivation Function API (Preview): https://openjdk.org/jeps/478 #jdk24 #openjdk #java
@stuartmarks Haha, I’m originally from NY, lived in Queens for a few years where I became a Mets fan for life! I like the Sox though and especially when they play the Yankees 😁
It isn’t as simple as it appears. Just a few issues: Mozilla doesn’t care about code signing certificates. The Java Platform does. CAs are starting to establish separate roots for different purposes, i.e. one for TLS, one for code signing. Mozilla implements some policies in NSS, like distrusting after a certain date, etc.
@bondolo If you set it on the command line, the default TrustManager will use it, see https://docs.oracle.com/en/java/javase/23/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-7D9F43B8-AABF-4C5B-93E6-3AFB18B66150
The JDK includes its own root certs (in the cacerts keystore) so that is the default as it provides consistent behavior on all JDK supported platforms. The JDK includes most common CAs, so typically that should be sufficient for most servers, this is more if you want to be more closely tied to what MacOS uses or perhaps additional roots you may have imported into your keychain.
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst