RFR: 8298420: Implement JEP 470: PEM Encodings of Cryptographic Objects (Preview) [v22]

Krushna948 duke at openjdk.org
Wed May 28 03:18:12 UTC 2025 

On Fri, 16 May 2025 08:34:46 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Hi all,
>> 
>> I need a code review of the PEM API.  Privacy-Enhanced Mail (PEM) is a format for encoding and decoding cryptographic keys and certificates.  It will be integrated into JDK25 as a Preview Feature.  Preview features does not permanently define the API and it is subject to change in future releases until it is finalized.
>> 
>> Details about this change can be seen at [PEM API JEP](https://bugs.openjdk.org/browse/JDK-8300911).
>> 
>> Thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with three additional commits since the last revision:
> 
>  - comments
>  - comments
>  - fix EKS error after JEP 513

src/java.base/share/classes/java/security/PEMDecoder.java line 90:

> 88:  * decoded into a {@code PEMRecord} by specifying {@code PEMRecord.class}.
> 89:  * If the Class parameter doesn't match the PEM content, an
> 90:  * {@code IllegalArgumentException} will be thrown.

Looks a Typo, it supposed to be ClassCastException?

src/java.base/share/classes/java/security/PEMDecoder.java line 485:

> 483:      * Any errors using the {@code Provider} will occur during decoding.
> 484:      *
> 485:      * <p>If {@code provider} is {@code null}, a new instance is returned with

May this needs to be updated as below @throws NullPointerException if {@code provider} is null

src/java.base/share/classes/java/security/PEMRecord.java line 56:

> 54:  * @param type the type identifier in the PEM header without PEM syntax labels.
> 55:  *           For a public key, {@code type} would be "PUBLIC KEY".
> 56:  * @param pem any data between the PEM header and footer.

Here 'pem' - any data between the PEM header and footer.
But the constructor description below for both the constructors 
"pem the Base64-encoded data encapsulated by the PEM header and  footer"

Observation
If I pass the data between PEM header and  footer, the PEMRecord created successfully.
If I include Header and Footer
For eg  as pem string,

"-----BEGIN PUBLIC KEY-----\n" +
            "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGRGrflwdiorIrC02pmr0jAKXI\n" +
            "qxbBHxMUslLg8bjJiJCbanW7g7j7fR3RwGVU0cWh8rsQ/y4U7Yy0gBAsWCrr/TDS\n" +
            "Xf3RWiZbQiQo6brZFiFZ5WgWgTpuzxDKpzLjyXCe17FXgbgEYscRPB/Rff6q2OS4\n" +
            "H6stY3fHctzmU1HmUQIDAQAB\n" +
            "-----END PUBLIC KEY-----";

PEMRecord creation throws java.lang.IllegalArgumentException: Illegal footer: 

Looks some inconsistency in documentation/ behavior

src/java.base/share/classes/java/security/PEMRecord.java line 111:

> 109:      * {@code null}.
> 110:      */
> 111:     public PEMRecord(String type, String pem) {

Observed that PEMRecord.pem returns a string with out Header and footer and removing all the new line characters from input, do we need to specify that the result string filters out the new line characters?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/17543#discussion_r2102389129
PR Review Comment: https://git.openjdk.org/jdk/pull/17543#discussion_r2102480589
PR Review Comment: https://git.openjdk.org/jdk/pull/17543#discussion_r2099618942
PR Review Comment: https://git.openjdk.org/jdk/pull/17543#discussion_r2099642178

More information about the security-dev mailing list