RFR: 8360564: Implement JEP 524: PEM Encodings of Cryptographic Objects (Second Preview) [v7]

[Sean Mullan]

On Mon, 20 Oct 2025 22:19:41 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Hi
>> 
>> Please review the [Second Preview](https://openjdk.org/jeps/8360563) for the PEM API.  The most significant changes from [JEP 470](https://openjdk.org/jeps/470) are:
>> 
>> - Renamed the name of `PEMRecord` class to `PEM`.
>> - Revised the new `encryptKey` methods of the `EncryptedPrivateKeyInfo` class to accept `DEREncodable` objects rather than just `PrivateKey` objects so that cryptographic objects with public keys, i.e., `KeyPair` and `PKCS8EncodedKeySpec`, can also be encrypted.
>> - Enhanced the `PEMEncoder` and `PEMDecoder` classes to support the encryption and decryption of `KeyPair` and `PKCS8EncodedKeySpec` objects.
>> 
>> thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - fix non-pbe
>  - doc updates, zeroing, fix unencrypted keypair encoding, exception mods

src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java line 315:

> 313:         }
> 314:         byte[] result = pkcs8Key.generateEncoding().clone();
> 315:         pkcs8Key.clear();

Put this in a finally block so it gets cleared even if `generateEncoding` throws an exception. You should also clear the return value of `generateEncoding` (before you clone it). Although I don't think you need the clone, since `generateEncoding` returns a new array each time.

test/jdk/java/security/PEM/PEMData.java line 51:

> 49:         """, KeyPair.class, "SunEC");
> 50: 
> 51:     public static final Entry ecsecp256dom0 = new Entry("ecsecp256dom0",

What does dom0 mean? Can you add a comment as to what is in this PEM?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2448706515
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2448608408