RFR: 8347938: Add Support for the Latest ML-KEM and ML-DSA Private Key Encodings [v12]
Sean Mullan
mullan at openjdk.org
Thu Jan 29 19:53:41 UTC 2026
On Fri, 23 Jan 2026 14:49:12 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> The private key encoding formats of ML-KEM and ML-DSA are updated to match the latest [draft-ietf-lamps-kyber-certificates-11](https://datatracker.ietf.org/doc/html/draft-ietf-lamps-kyber-certificates-11) and [RFC 9881](https://datatracker.ietf.org/doc/rfc9881/). New security/system properties are introduced to determine which CHOICE a private key is encoded when a new key pair is generated or when `KeyFactory::translateKey` is called.
>>
>> By default, the choice is "seed".
>>
>> Both the encoding and the expanded format are stored inside a `NamedPKCS8Key` now. When loading from a PKCS8 key, the expanded format is calculated from the input if it's seed only.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> grammar; no more 8347941
src/java.base/share/classes/sun/security/pkcs/NamedPKCS8Key.java line 68:
> 66: ///
> 67: /// A `NamedPKCS8Key`, when created, must include `expanded` if required, its
> 68: /// `privKeyMaterial` must have already been validated for internal consistency.
I don't understand this sentence - maybe should be two sentences?
src/java.base/share/classes/sun/security/pkcs/NamedPKCS8Key.java line 192:
> 190: }
> 191:
> 192: /// Expands from encoding format to expanded format.
Add `@FunctionalInterface`?
src/java.base/share/classes/sun/security/provider/NamedKeyFactory.java line 245:
> 243: @Override
> 244: protected Key engineTranslateKey(Key key) throws InvalidKeyException {
> 245: // The base toNamedKey only make sure key is translated into a NamedKey.
s/make/makes/
test/jdk/sun/security/provider/pqc/PrivateKeyEncodings.java line 1:
> 1: /*
Is this test skipped if it cannot download the drafts?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24969#discussion_r2743063487
PR Review Comment: https://git.openjdk.org/jdk/pull/24969#discussion_r2743082475
PR Review Comment: https://git.openjdk.org/jdk/pull/24969#discussion_r2742340332
PR Review Comment: https://git.openjdk.org/jdk/pull/24969#discussion_r2743249691
More information about the security-dev
mailing list