RFR: 8360564: Implement JEP 524: PEM Encodings of Cryptographic Objects (Second Preview) [v7]

Sean Mullan mullan at openjdk.org
Wed Oct 22 18:29:50 UTC 2025 

On Mon, 20 Oct 2025 22:19:41 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Hi
>> 
>> Please review the [Second Preview](https://openjdk.org/jeps/8360563) for the PEM API.  The most significant changes from [JEP 470](https://openjdk.org/jeps/470) are:
>> 
>> - Renamed the name of `PEMRecord` class to `PEM`.
>> - Revised the new `encryptKey` methods of the `EncryptedPrivateKeyInfo` class to accept `DEREncodable` objects rather than just `PrivateKey` objects so that cryptographic objects with public keys, i.e., `KeyPair` and `PKCS8EncodedKeySpec`, can also be encrypted.
>> - Enhanced the `PEMEncoder` and `PEMDecoder` classes to support the encryption and decryption of `KeyPair` and `PKCS8EncodedKeySpec` objects.
>> 
>> thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - fix non-pbe
>  - doc updates, zeroing, fix unencrypted keypair encoding, exception mods

src/java.base/share/classes/java/security/PEM.java line 1:

> 1: /*

In the javadoc, I notice the `equals` and `hashCode` methods are marked final (which is done by the compiler I guess), but the other methods are not. Since records are always final, maybe it would be clearer to mark the other methods as `final` too.

src/java.base/share/classes/java/security/PEMDecoder.java line 298:

> 296:      * @param str a String containing PEM data
> 297:      * @return a {@code DEREncodable}
> 298:      * @throws IllegalArgumentException on error in decoding or no PEM data found

It looks like this method will throw `EOFException` and not `IllegalArgumentException` if there is no PEM data because it calls decode with a `ByteArrayInputStream` so uses that method which throws an `EOFException`.

Same comment for method that takes a `Class` argument.

src/java.base/share/classes/java/security/PEMEncoder.java line 284:

> 282:      *                 stored in the new instance.
> 283:      * @return a new {@code PEMEncoder} instance configured for encryption
> 284:      * @throws NullPointerException when password is {@code null}

s/when/if/

src/java.base/share/classes/java/security/PEMEncoder.java line 285:

> 283:      * @return a new {@code PEMEncoder} instance configured for encryption
> 284:      * @throws NullPointerException when password is {@code null}
> 285:      * @throws ProviderException if generating the encryption key fails.

No period needed at end.

src/java.base/share/classes/java/security/PEMEncoder.java line 285:

> 283:      * @return a new {@code PEMEncoder} instance configured for encryption
> 284:      * @throws NullPointerException when password is {@code null}
> 285:      * @throws ProviderException if generating the encryption key fails.

This actually throws an `IllegalArgumentException` if the key derivation fails.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2452395054
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2452972189
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2452790848
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2452794999
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2452948135

More information about the security-dev mailing list