On Tue, 5 May 2026 23:44:16 GMT, Anthony Scarpino <[email protected]> wrote:
>> Please review the finalized PEM API at https://openjdk.org/jeps/8376991. The >> most significant changes from the second preview, JEP 524 >> (https://openjdk.org/jeps/524), include: >> >> - The `PEM` class is now an ordinary class rather than a record. It adds >> Binary-encoded content constructors and data is defensively copied. >> - The `DEREncodable` interface is renamed to `BinaryEncodable` to more >> accurately reflect the binary data stored in PEM text. >> - In `EncryptedPrivateKeyInfo`, the `encrypt` methods now accept >> `BinaryEncodable`, and the `getKey()` and `getKeyPair()` methods no longer >> include a `Provider` parameter. >> - A new `CryptoException` class indicates failures in cryptographic >> processing at runtime. >> >> thanks >> >> --------- >> - [x] I confirm that I make this contribution in accordance with the >> [OpenJDK Interim AI Policy](https://openjdk.org/legal/ai). > > Anthony Scarpino has updated the pull request incrementally with one > additional commit since the last revision: > > comments and String/byte[] change src/java.base/share/classes/java/security/BinaryEncodable.java line 43: > 41: * result in a {@link MatchException}. > 42: * > 43: * Two empty lines. src/java.base/share/classes/java/security/PEM.java line 169: > 167: this.type = type; > 168: final var c = content; > 169: CleanerFactory.cleaner().register(this, () -> KeyUtil.clear(c)); Does it make sense to only clean PRIVATE KEY bytes? src/java.base/share/classes/java/security/PEMEncoder.java line 119: > 117: * RFC 7468: Textual Encodings of PKIX, PKCS, and CMS Structures > 118: * > 119: * @since 25 Still 25. src/java.base/share/classes/java/security/PEMEncoder.java line 173: > 171: public String encodeToString(BinaryEncodable be) { > 172: Objects.requireNonNull(be); > 173: if (be instanceof PEM pem) { This shortcut introduce a small behavior inconsistency: no error even if there is an encryption key. src/java.base/share/classes/sun/security/util/Pem.java line 472: > 470: * @param provider KeyFactory provider > 471: */ > 472: public static BinaryEncodable toPKCS8Encodable(byte[] encoded, > boolean pair, Checked its usages, and `pair` seems always true. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204868434 PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204852203 PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204853395 PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204834533 PR Review Comment: https://git.openjdk.org/jdk/pull/29640#discussion_r3204845621
