Update to JEP draft: Key Encapsulation Mechanism API

Wei-Jun Wang weijun.wang at oracle.com
Fri Mar 24 18:32:24 UTC 2023

Hi All,

The JEP draft was just updated again.

The KEMParameterSpec argument is moved from getInstance() to newEncapsulator() and newDecapsulator(). The reason is that when delayed provider selection happens, a KEMSpi object is only created when newEncapsulator/newDecapsulator is called. If the parameter is rejected then some kind of exception should be thrown. It looks a little strange for newEncapsulator/newDecapsulator to throw an InvalidAlgorithmParameterException since their only argument is a key. A user might also question why the exception was not thrown when getInstance() was called.

Furthermore, since the only bonus a KEMParameterSpec provides is a SecureRandom and it's useless for a decapsulator, we decided to remove the KEMParameterSpec class. User can now provide a SecureRandom and an AlgorithmParameterSpec separately when creating an encapsulator, and only an AlgorithmParameterSpec when creating a decapsulator.

    public Encapsulator newEncapsulator(PublicKey pk, AlgorithmParameterSpec spec, SecureRandom sr)
            throws InvalidAlgorithmParameterException, InvalidKeyException;

    public Decapsulator newDecapsulator(PrivateKey sk, AlgorithmParameterSpec spec)
            throws InvalidAlgorithmParameterException, InvalidKeyException;

Please take a look. The updated JEP is still at https://openjdk.org/jeps/8301034.


More information about the security-dev mailing list