RFR: 8360564: Implement JEP 524: PEM Encodings of Cryptographic Objects (Second Preview) [v4]

Weijun Wang weijun at openjdk.org
Fri Oct 3 16:03:47 UTC 2025 

On Thu, 25 Sep 2025 23:03:11 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Hi
>> 
>> Please review the [Second Preview](https://openjdk.org/jeps/8360563) for the PEM API.  The most significant changes from [JEP 470](https://openjdk.org/jeps/470) are:
>> 
>> - Renamed the name of `PEMRecord` class to `PEM`.
>> - Revised the new `encryptKey` methods of the `EncryptedPrivateKeyInfo` class to accept `DEREncodable` objects rather than just `PrivateKey` objects so that cryptographic objects with public keys, i.e., `KeyPair` and `PKCS8EncodedKeySpec`, can also be encrypted.
>> - Enhanced the `PEMEncoder` and `PEMDecoder` classes to support the encryption and decryption of `KeyPair` and `PKCS8EncodedKeySpec` objects.
>> 
>> thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with one additional commit since the last revision:
> 
>   missed some decoder comments

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 1:

> 1: /*

Since you added `getKey` and `getKeyPair` with a password argument, can we also add a `getKeySpec` with the same argument to be consistent?

Also, if you add this method, can it be used instead of `Pem.decryptEncoding`? That method is called inside EPKI and it creates another EPKI which looks wasteful and dangerously recursive.

src/java.base/share/classes/sun/security/ec/ECPrivateKeyImpl.java line 252:

> 250:                 int version = seq.data.getInteger();
> 251:                 if (version == 1) { // EC
> 252:                     byte[] oct = seq.data.getOctetString();  // private key

If you call `seq.data.getDerValue()` then the return value uses the original array with an offset and a length. So there is no need to call `Arrays.fill` next.

src/java.base/share/classes/sun/security/util/Pem.java line 376:

> 374:             SharedSecrets.getJavaSecuritySpecAccess().
> 375:                 clearEncodedKeySpec(p8KeySpec);
> 376:             keySpec.clearPassword();

Why are the lines above indented? Were you trying to add a try-finally here?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2402364435
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2402215329
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2402261371

More information about the security-dev mailing list