RFR: 8360564: Implement JEP 524: PEM Encodings of Cryptographic Objects (Second Preview) [v6]

Sean Mullan mullan at openjdk.org
Wed Oct 15 15:14:13 UTC 2025 

On Mon, 13 Oct 2025 17:22:25 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Hi
>> 
>> Please review the [Second Preview](https://openjdk.org/jeps/8360563) for the PEM API.  The most significant changes from [JEP 470](https://openjdk.org/jeps/470) are:
>> 
>> - Renamed the name of `PEMRecord` class to `PEM`.
>> - Revised the new `encryptKey` methods of the `EncryptedPrivateKeyInfo` class to accept `DEREncodable` objects rather than just `PrivateKey` objects so that cryptographic objects with public keys, i.e., `KeyPair` and `PKCS8EncodedKeySpec`, can also be encrypted.
>> - Enhanced the `PEMEncoder` and `PEMDecoder` classes to support the encryption and decryption of `KeyPair` and `PKCS8EncodedKeySpec` objects.
>> 
>> thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with one additional commit since the last revision:
> 
>   updates

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 343:

> 341:      * @param password the password used for PBE encryption. This array is cloned
> 342:      *                 before use.
> 343:      * @param algorithm the PBE encryption algorithm. If {@code null}, the default

I think I commented on this before, but I think null should not be allowed. This method should only be used when you want to specify your own algorithm.

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 519:

> 517:      * @throws InvalidKeyException if the encoded data does not contain both a
> 518:      * public and private key, or if an error occurs during parsing, decryption,
> 519:      * or key generation

Missing an `@since 25`.

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 595:

> 593:      * @throws InvalidKeyException if the encoded data lacks a public key or an
> 594:      *         error occurs during parsing, decryption, or key generation
> 595:      *

GeneralSecurityException shows up in the javadoc with no detail.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2432945751
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2432825205
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2432962291

More information about the security-dev mailing list