RFR: 8360564: Implement JEP 524: PEM Encodings of Cryptographic Objects (Second Preview) [v8]
Weijun Wang
weijun at openjdk.org
Thu Oct 23 20:47:53 UTC 2025
On Thu, 23 Oct 2025 04:14:26 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:
>> Hi
>>
>> Please review the [Second Preview](https://openjdk.org/jeps/8360563) for the PEM API. The most significant changes from [JEP 470](https://openjdk.org/jeps/470) are:
>>
>> - Renamed the name of `PEMRecord` class to `PEM`.
>> - Revised the new `encryptKey` methods of the `EncryptedPrivateKeyInfo` class to accept `DEREncodable` objects rather than just `PrivateKey` objects so that cryptographic objects with public keys, i.e., `KeyPair` and `PKCS8EncodedKeySpec`, can also be encrypted.
>> - Enhanced the `PEMEncoder` and `PEMDecoder` classes to support the encryption and decryption of `KeyPair` and `PKCS8EncodedKeySpec` objects.
>>
>> thanks
>>
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with one additional commit since the last revision:
>
> more doc updates and zeroing
Very minor comments.
src/java.base/share/classes/java/security/PEMDecoder.java line 117:
> 115: * If an encrypted private key PEM is processed by a decoder not configured
> 116: * for decryption, an {@link EncryptedPrivateKeyInfo} object is returned.
> 117: * A PEMDecoder configured for decryption will decode unencrypted PEM.
Put `PEMDecoder` in `{@code}`.
src/java.base/share/classes/java/security/PEMDecoder.java line 134:
> 132: * }
> 133: *
> 134: * @implNote This implementation decodes {@code RSA PRIVATE KEY} as {@code PRIVATE KEY},
Shall we say "decodes as" or "treat the same as"? You decode "RSA PRIVATE KEY" to `PrivateKey` and not "PRIVATE KEY".
src/java.base/share/classes/java/security/PEMDecoder.java line 296:
> 294: * {@link java.nio.charset.StandardCharsets#UTF_8 UTF-8}.
> 295: *
> 296: * @param str a String containing PEM data
`string`, or `{@code String}`. Same for `decode(String, tClass)`.
src/java.base/share/classes/java/security/PEMDecoder.java line 331:
> 329: * <p> If no PEM data is found, an {@code EOFException} is thrown.
> 330: *
> 331: * @param is InputStream containing PEM data
`{@code InputStream}`. Same for the other method.
src/java.base/share/classes/java/security/PEMDecoder.java line 364:
> 362: * {@link java.nio.charset.StandardCharsets#UTF_8 UTF-8}.
> 363: *
> 364: * @param <S> Class type parameter that extends {@code DEREncodable}
Maybe `class`? Same with the other method.
src/java.base/share/classes/java/security/PEMDecoder.java line 513:
> 511: *
> 512: * @param provider the factory provider
> 513: * @return a new PEMDecoder instance configured with the {@code Provider}
`{code PEMDecoder}`. Same with `withDecryption`.
src/java.base/share/classes/java/security/PEMEncoder.java line 53:
> 51: * <p> Encoding can be performed on cryptographic objects that
> 52: * implement {@link DEREncodable}. The {@link #encode(DEREncodable)}
> 53: * and {@link #encodeToString(DEREncodable)} methods encode a DEREncodable
`DEREncodable` should be in `{@code}`.
src/java.base/share/classes/java/security/PEMEncoder.java line 54:
> 52: * implement {@link DEREncodable}. The {@link #encode(DEREncodable)}
> 53: * and {@link #encodeToString(DEREncodable)} methods encode a DEREncodable
> 54: * into PEM and return the data in a byte array or String.
If `String`, put in `{@code}`; or, `string`.
-------------
PR Review: https://git.openjdk.org/jdk/pull/27147#pullrequestreview-3372477930
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2457223956
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2457229113
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2457235405
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2457250468
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2457257641
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2457263167
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2457168711
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2457172299
More information about the security-dev
mailing list