RFR: 8360564: Implement JEP 524: PEM Encodings of Cryptographic Objects (Second Preview) [v11]

Weijun Wang weijun at openjdk.org
Mon Oct 27 13:57:50 UTC 2025 

On Fri, 24 Oct 2025 19:06:33 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Hi
>> 
>> Please review the [Second Preview](https://openjdk.org/jeps/8360563) for the PEM API.  The most significant changes from [JEP 470](https://openjdk.org/jeps/470) are:
>> 
>> - Renamed the name of `PEMRecord` class to `PEM`.
>> - Revised the new `encryptKey` methods of the `EncryptedPrivateKeyInfo` class to accept `DEREncodable` objects rather than just `PrivateKey` objects so that cryptographic objects with public keys, i.e., `KeyPair` and `PKCS8EncodedKeySpec`, can also be encrypted.
>> - Enhanced the `PEMEncoder` and `PEMDecoder` classes to support the encryption and decryption of `KeyPair` and `PKCS8EncodedKeySpec` objects.
>> 
>> thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with one additional commit since the last revision:
> 
>   more docs, remove runtimeexception

Some tiny comments.

src/java.base/share/classes/java/security/PEMDecoder.java line 334:

> 332:      * @return a {@code DEREncodable}
> 333:      * @throws IOException on IO or PEM syntax error where the
> 334:      * {@code InputStream} did not complete decoding.

Period at end.

src/java.base/share/classes/java/security/PEMDecoder.java line 403:

> 401:      * <p> If no PEM data is found, an {@code EOFException} is thrown.
> 402:      *
> 403:      * @param <S> class type parameter that extends {@code DEREncodable}.

Period at end.

src/java.base/share/classes/java/security/PEMDecoder.java line 406:

> 404:      * @param is an {@code InputStream} containing PEM data
> 405:      * @param tClass the returned object class that extends or implements
> 406:      *   {@code DEREncodable}.

Period at end.

src/java.base/share/classes/java/security/PEMDecoder.java line 409:

> 407:      * @return a {@code DEREncodable} typecast to {@code tClass}
> 408:      * @throws IOException on IO or PEM syntax error where the
> 409:      *   {@code InputStream} did not complete decoding.

Period at end.

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 353:

> 351:      * @param password the password used for PBE encryption. This array is cloned
> 352:      *                 before use.
> 353:      * @param algorithm the PBE encryption algorithm.

Period at end.

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 358:

> 356:      * @param provider the {@code Provider} for {@code SecretKeyFactory} and
> 357:      *                 {@code Cipher} operations. If {@code null}, provider
> 358:      *                 defaults are used

No period at end.

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 428:

> 426:      * @param de the {@code DEREncodable} to encrypt. Supported types include
> 427:      *           {@code PrivateKey}, {@code KeyPair}, and {@code PKCS8EncodedKeySpec}.
> 428:      * @param encryptKey the key used to encrypt the encoding.

Period at end.

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 430:

> 428:      * @param encryptKey the key used to encrypt the encoding.
> 429:      * @param algorithm the encryption algorithm, such as a password-based
> 430:      *                  encryption (PBE) algorithm.

Period at end.

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 434:

> 432:      *               {@code null}, the provider’s default parameters are applied.
> 433:      * @param random the {@code SecureRandom} instance used during encryption.
> 434:      *               If {@code null}, the default is used

No period at end.

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 443:

> 441:      *         {@code DEREncodable}, if {@code encryptKey} is invalid, if
> 442:      *         {@code algorithm} or {@code params} are not supported by any
> 443:      *         provider, or if an error occurs during encryption.

Period at end.

-------------

PR Review: https://git.openjdk.org/jdk/pull/27147#pullrequestreview-3383608457
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465770029
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465771881
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465773174
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465774479
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465755364
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465756500
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465759253
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465760463
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465761669
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2465763501

More information about the security-dev mailing list