Re: RFR: 8360564: Implement JEP 524: PEM Encodings of Cryptographic Objects (Second Preview) [v4]

Sat, 18 Oct 2025 13:42:21 -0700 

On Thu, 25 Sep 2025 23:03:11 GMT, Anthony Scarpino <[email protected]> 
wrote:

>> Hi
>> 
>> Please review the [Second Preview](https://openjdk.org/jeps/8360563) for the 
>> PEM API.  The most significant changes from [JEP 
>> 470](https://openjdk.org/jeps/470) are:
>> 
>> - Renamed the name of `PEMRecord` class to `PEM`.
>> - Revised the new `encryptKey` methods of the `EncryptedPrivateKeyInfo` 
>> class to accept `DEREncodable` objects rather than just `PrivateKey` objects 
>> so that cryptographic objects with public keys, i.e., `KeyPair` and 
>> `PKCS8EncodedKeySpec`, can also be encrypted.
>> - Enhanced the `PEMEncoder` and `PEMDecoder` classes to support the 
>> encryption and decryption of `KeyPair` and `PKCS8EncodedKeySpec` objects.
>> 
>> thanks
>> 
>> Tony
>
> Anthony Scarpino has updated the pull request incrementally with one 
> additional commit since the last revision:
> 
>   missed some decoder comments

src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 1:

> 1: /*

Since you added `getKey` and `getKeyPair` with a password argument, can we also 
add a `getKeySpec` with the same argument to be consistent?

Also, if you add this method, can it be used instead of `Pem.decryptEncoding`? 
That method is called inside EPKI and it creates another EPKI which looks 
wasteful and dangerously recursive.

src/java.base/share/classes/sun/security/ec/ECPrivateKeyImpl.java line 252:

> 250:                 int version = seq.data.getInteger();
> 251:                 if (version == 1) { // EC
> 252:                     byte[] oct = seq.data.getOctetString();  // private 
> key

If you call `seq.data.getDerValue()` then the return value uses the original 
array with an offset and a length. So there is no need to call `Arrays.fill` 
next.

src/java.base/share/classes/sun/security/util/Pem.java line 376:

> 374:             SharedSecrets.getJavaSecuritySpecAccess().
> 375:                 clearEncodedKeySpec(p8KeySpec);
> 376:             keySpec.clearPassword();

Why are the lines above indented? Were you trying to add a try-finally here?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2402364435
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2402215329
PR Review Comment: https://git.openjdk.org/jdk/pull/27147#discussion_r2402261371

Reply via email to