Re: RFR: 8377506: Implementation of PEM Encodings of Cryptographic Objects [v8]

Thu, 07 May 2026 15:03:54 -0700 

On Tue, 5 May 2026 23:44:16 GMT, Anthony Scarpino <[email protected]> wrote:

>> Please review the finalized PEM API at https://openjdk.org/jeps/8376991. The 
>> most significant changes from the second preview, JEP 524 
>> (https://openjdk.org/jeps/524), include:
>> 
>> - The `PEM` class is now an ordinary class rather than a record. It adds 
>> Binary-encoded content constructors and data is defensively copied.
>> - The `DEREncodable` interface is renamed to `BinaryEncodable` to more 
>> accurately reflect the binary data stored in PEM text.
>> - In `EncryptedPrivateKeyInfo`, the `encrypt` methods now accept 
>> `BinaryEncodable`, and the `getKey()` and `getKeyPair()` methods no longer 
>> include a `Provider` parameter.
>> - A new `CryptoException` class indicates failures in cryptographic 
>> processing at runtime.
>> 
>> thanks
>> 
>> ---------
>> - [x] I confirm that I make this contribution in accordance with the 
>> [OpenJDK Interim AI Policy](https://openjdk.org/legal/ai).
>
> Anthony Scarpino has updated the pull request incrementally with one 
> additional commit since the last revision:
> 
>   comments and String/byte[] change

src/java.base/share/classes/java/security/PEMDecoder.java line 199:

> 197: 
> 198:                     try {
> 199:                         p8key = new PKCS8Key(pem.decode());

Should we clear `pem.decode()`?

src/java.base/share/classes/java/security/PEMDecoder.java line 434:

> 432:             if ((PublicKey.class).isAssignableFrom(tClass) ||
> 433:                 (X509EncodedKeySpec.class).isAssignableFrom(tClass)) {
> 434:                 so = kp.getPublic();

Should we clear `kp.getPrivate()`?

src/java.base/share/classes/java/security/PEMDecoder.java line 453:

> 451:                 if 
> ((PKCS8EncodedKeySpec.class).isAssignableFrom(tClass)) {
> 452:                     so = getKeyFactory(key.getAlgorithm()).
> 453:                         getKeySpec(key, PKCS8EncodedKeySpec.class);

Should we clear `key`?

src/java.base/share/classes/sun/security/util/Pem.java line 360:

> 358:             return (preData == null) ?
> 359:                 new PEM(typeConverter(headerType), pem.toByteArray()) :
> 360:                 new PEM(typeConverter(headerType), pem.toByteArray(), 
> preData);

`pem.toByteArray()` output is not cleared.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204932304
PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204927964
PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204925606
PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204914183

Reply via email to