RFR: 8298420: PEM API: Implementation (Preview) [v9]

Jamil Nimeh jnimeh at openjdk.org
Thu Oct 31 15:26:36 UTC 2024 

On Mon, 21 Oct 2024 19:52:36 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Hi all,
>> 
>> I need a code review of the PEM API.  Privacy-Enhanced Mail (PEM) is a format for encoding and decoding cryptographic keys and certificates.  It will be integrated into JDK24 as a Preview Feature.  Preview features does not permanently define the API and it is subject to change in future releases until it is finalized.
>> 
>> Details about this change can be seen at [PEM API JEP](https://bugs.openjdk.org/browse/JDK-8300911).
>> 
>> Thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with one additional commit since the last revision:
> 
>   apparently <p> can't be before a @implNote.. Who know.

src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java line 143:

> 141: 
> 142:             // OPTIONAL Context tag 0 for Attributes for PKCS8 v1 & v2
> 143:             // Uses 0xA0 constructed define-length or 0x80 constructed

Minor nit: 0xA0 = context-specific/constructed, 0x80 = context-specific/primitive.  Definite length vs. indefinite length is not defined by the tag itself.

src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java line 312:

> 310:         }
> 311: 
> 312:         if (pubKeyEncoded != null) {

Looking back at an earlier conversation between you and Weijun, I think I read that pubKeyEncoded will be set/overwritten if the private key encoding holds a public key.  So when consuming a PKCS#8 EC key, where the private key is itself a SEC1-v2 formatted key encoding with a pubkey, wouldn't the version be set to 0 (v1), but the pubKeyEncoded is also non-null?
I ask only because upon running this method, wouldn't you end up making the output a v2 OneAsymmetricKey, still with the SEC1-v2 private key (with pub key) and also have it in the public key section?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/17543#discussion_r1824626791
PR Review Comment: https://git.openjdk.org/jdk/pull/17543#discussion_r1824667941

More information about the security-dev mailing list