RFR: 8298420: PEM API: Implementation (Preview) [v14]

Weijun Wang weijun at openjdk.org
Mon Apr 28 17:21:04 UTC 2025


On Sun, 27 Apr 2025 18:36:28 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> src/java.base/share/classes/java/security/PEMDecoder.java line 60:
>> 
>>> 58:  * A specified return class must implement {@link DEREncodable} and be an
>>> 59:  * appropriate JCE object class for the PEM; otherwise an
>>> 60:  * {@link IllegalArgumentException} is thrown.
>> 
>> Do we need to document somewhere what "appropriate" JCE classes are for each PEM type?
>
> I view this as an advanced feature for experienced users.  The list is large and algorithm-dependent.  For example an EC private key PEM could be PrivateKey.class, ECPrivateKey.class, PEMRecord.class, PKCS8EncodedKeySpec.class.  I don't think it's realistic to list everything.

I see. Maybe at least point out `PEMRecord` is always a valid option? This gives people a chance to read arbitrary (even invalid) PEMs.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/17543#discussion_r2064134853


More information about the security-dev mailing list