RFR: 8360564: Implement JEP 524: PEM Encodings of Cryptographic Objects (Second Preview) [v6]

[Sean Mullan]

On Mon, 13 Oct 2025 17:22:25 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Hi
>> 
>> Please review the [Second Preview](https://openjdk.org/jeps/8360563) for the PEM API.  The most significant changes from [JEP 470](https://openjdk.org/jeps/470) are:
>> 
>> - Renamed the name of `PEMRecord` class to `PEM`.
>> - Revised the new `encryptKey` methods of the `EncryptedPrivateKeyInfo` class to accept `DEREncodable` objects rather than just `PrivateKey` objects so that cryptographic objects with public keys, i.e., `KeyPair` and `PKCS8EncodedKeySpec`, can also be encrypted.
>> - Enhanced the `PEMEncoder` and `PEMDecoder` classes to support the encryption and decryption of `KeyPair` and `PKCS8EncodedKeySpec` objects.
>> 
>> thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with one additional commit since the last revision:
> 
>   updates

src/java.base/share/classes/java/security/PEMEncoder.java line 77:

> 75:  *
> 76:  * <p> The following lists the supported {@code DEREncodable} classes and
> 77:  * the PEM types they encoded as:

s/encoded/encode/

src/java.base/share/classes/java/security/PEMEncoder.java line 89:

> 87:  *  <li>{@code KeyPair} : PRIVATE KEY</li>
> 88:  *  <li>{@code KeyPair} :
> 89:  *  ENCRYPTED PRIVATE KEY if configured with encryption)</li>

s/if/(if/

src/java.base/share/classes/java/security/PEMEncoder.java line 326:

> 324:             if (privateEncoding == null) {
> 325:                 throw new IllegalArgumentException("This DEREncodable cannot " +
> 326:                     "be encrypted.");

It seems you could move this check earlier when you check if `keyspec` is not null.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2430223693
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2430224875
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2430313564