RFR: 8347938: Add Support for the Latest ML-KEM and ML-DSA Private Key Encodings [v10]

[Sean Mullan]

On Wed, 14 Jan 2026 14:25:00 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> The private key encoding formats of ML-KEM and ML-DSA are updated to match the latest IETF drafts at: https://datatracker.ietf.org/doc/html/draft-ietf-lamps-dilithium-certificates-11 and https://datatracker.ietf.org/doc/html/draft-ietf-lamps-kyber-certificates-10. New security/system properties are introduced to determine which CHOICE a private key is encoded when a new key pair is generated or when `KeyFactory::translateKey` is called.
>> 
>> By default, the choice is "seed".
>> 
>> Both the encoding and the expanded format are stored inside a `NamedPKCS8Key` now. When loading from a PKCS #8 key, the expanded format is calculated from the input if it's seed only.
>
> Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 14 commits:
> 
>  - Merge branch 'master' into 8347938
>  - one RFC; some java.security word changes
>  - fixed merge error
>  - merge
>  - merge
>  - Ben comment
>  - combine security properties description; remove one test
>  - Merge branch 'master' into 8347938
>  - KeyChoices class
>  - allow expanded to be null
>  - ... and 4 more: https://git.openjdk.org/jdk/compare/20bd178b...dfbcaa09

Sending you a couple of minor comments for now. Going to take me a little while longer to get through this review.

src/java.base/share/conf/security/java.security line 1662:

> 1660: # PKCS #8 encoding format for newly created ML-KEM and ML-DSA private keys
> 1661: #
> 1662: # draft-ietf-lamps-kyber-certificates-11 and RFC 9881 define three possible formats for a private key:

This line looks a bit longer than 80 chars.

-------------

PR Review: https://git.openjdk.org/jdk/pull/24969#pullrequestreview-3064612877
PR Review Comment: https://git.openjdk.org/jdk/pull/24969#discussion_r2716858331