Skip to content

8298420: Implement JEP 470: PEM Encodings of Cryptographic Objects (Preview) #17543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 82 commits into from
Closed

8298420: Implement JEP 470: PEM Encodings of Cryptographic Objects (Preview) #17543

wants to merge 82 commits into from

Conversation

@ascarpino
Copy link
Contributor

@ascarpino ascarpino commented Jan 24, 2024
edited by openjdk bot
Loading

Hi all,

I need a code review of the PEM API. Privacy-Enhanced Mail (PEM) is a format for encoding and decoding cryptographic keys and certificates. It will be integrated into JDK25 as a Preview Feature. Preview features does not permanently define the API and it is subject to change in future releases until it is finalized.

Details about this change can be seen at PEM API JEP.

Thanks

Tony

Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change requires CSR request JDK-8329419 to be approved
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue

Issues

  • JDK-8298420: Implement JEP 470: PEM Encodings of Cryptographic Objects (Preview) (Enhancement - P2)
  • JDK-8329419: Implement JEP 470: PEM Encodings of Cryptographic Objects (Preview) (CSR)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/17543/head:pull/17543
$ git checkout pull/17543

Update a local copy of the PR:
$ git checkout pull/17543
$ git pull https://git.openjdk.org/jdk.git pull/17543/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 17543

View PR using the GUI difftool:
$ git pr show -t 17543

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/17543.diff

Using Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Jan 24, 2024

👋 Welcome back ascarpino! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Jan 24, 2024

@ascarpino The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Jan 24, 2024
@openjdk
Copy link

openjdk bot commented Mar 13, 2024
edited
Loading

@ascarpino This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8298420: Implement JEP 470: PEM Encodings of Cryptographic Objects (Preview)

Reviewed-by: weijun, mr, mullan, jnimeh

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 231 new commits pushed to the master branch:

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk
Copy link

openjdk bot commented Mar 28, 2024

@ascarpino this pull request can not be integrated into master due to one or more merge conflicts. To resolve these merge conflicts and update this pull request you can run the following commands in the local repository for your personal fork:

git checkout pem
git fetch https://git.openjdk.org/jdk.git master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push

@openjdk openjdk bot added the merge-conflict Pull request has merge conflict with target branch label Mar 28, 2024
@openjdk openjdk bot changed the title JDK-8300911: PEM API (Preview) 8300911: PEM API (Preview) Apr 10, 2024
@openjdk openjdk bot removed the merge-conflict Pull request has merge conflict with target branch label Apr 22, 2024
@ascarpino
comment/exception updates
6f3fd2d
@ascarpino
Doc changes
24eed10 
Fixed P8v2 0xA0
Test: Use EKPI with PBEParameters to match EPK8 base64
cleanup
@ascarpino
update
05729e6
seanjmullan
seanjmullan reviewed May 14, 2025
View reviewed changes
Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few remaining very minor comments. This is looking really good now.

@openjdk openjdk bot removed the merge-conflict Pull request has merge conflict with target branch label May 15, 2025
wangweij
wangweij reviewed May 15, 2025
View reviewed changes
@openjdk openjdk bot removed the csr Pull request needs approved CSR before integration label May 21, 2025
@ascarpino ascarpino changed the title 8298420: PEM API: Implementation (Preview) 8298420: Implement JEP 470: PEM Encodings of Cryptographic Objects (Preview) May 27, 2025
@ascarpino ascarpino requested a review from mbreinhold May 27, 2025 23:13
Krushna948
Krushna948 reviewed May 28, 2025
View reviewed changes
src/java.base/share/classes/java/security/PEMRecord.java
*
* @param type the type identifier in the PEM header without PEM syntax labels.
* For a public key, {@code type} would be "PUBLIC KEY".
* @param pem any data between the PEM header and footer.
Copy link

@Krushna948 Krushna948 May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here 'pem' - any data between the PEM header and footer.
But the constructor description below for both the constructors
"pem the Base64-encoded data encapsulated by the PEM header and footer"

Observation
If I pass the data between PEM header and footer, the PEMRecord created successfully.
If I include Header and Footer
For eg as pem string,

"-----BEGIN PUBLIC KEY-----\n" +
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGRGrflwdiorIrC02pmr0jAKXI\n" +
"qxbBHxMUslLg8bjJiJCbanW7g7j7fR3RwGVU0cWh8rsQ/y4U7Yy0gBAsWCrr/TDS\n" +
"Xf3RWiZbQiQo6brZFiFZ5WgWgTpuzxDKpzLjyXCe17FXgbgEYscRPB/Rff6q2OS4\n" +
"H6stY3fHctzmU1HmUQIDAQAB\n" +
"-----END PUBLIC KEY-----";

PEMRecord creation throws java.lang.IllegalArgumentException: Illegal footer:

Looks some inconsistency in documentation/ behavior

Copy link
Contributor Author

@ascarpino ascarpino May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code requires a end of line character. Perhaps the documentation can be clarified later

src/java.base/share/classes/java/security/PEMDecoder.java
* public key will be returned in that format. Any type of PEM data can be
* decoded into a {@code PEMRecord} by specifying {@code PEMRecord.class}.
* If the Class parameter doesn't match the PEM content, an
* {@code IllegalArgumentException} will be thrown.
Copy link

@Krushna948 Krushna948 May 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks a Typo, it supposed to be ClassCastException?

Copy link
Contributor Author

@ascarpino ascarpino May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.. I can follow up on this with post integration.

src/java.base/share/classes/java/security/PEMDecoder.java
* from the specified {@link Provider} to produce cryptographic objects.
* Any errors using the {@code Provider} will occur during decoding.
*
* <p>If {@code provider} is {@code null}, a new instance is returned with
Copy link

@Krushna948 Krushna948 May 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May this needs to be updated as below @throws NullPointerException if {@code provider} is null

Copy link
Contributor Author

@ascarpino ascarpino May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, this could use some clarification post-integration

@openjdk openjdk bot added the ready Pull request is ready to be integrated label May 28, 2025
artur-oracle
artur-oracle reviewed May 28, 2025
View reviewed changes
@ascarpino
Copy link
Contributor Author

ascarpino commented May 28, 2025

/integrate

@openjdk
Copy link

openjdk bot commented May 28, 2025

Going to push as commit bb2c80c.
Since your change was applied there have been 231 commits pushed to the master branch:

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label May 28, 2025
@openjdk openjdk bot closed this May 28, 2025
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels May 28, 2025
@openjdk
Copy link

openjdk bot commented May 28, 2025

@ascarpino Pushed as commit bb2c80c.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

ExE-Boss
ExE-Boss reviewed Aug 18, 2025
View reviewed changes
src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java
*/

public class EncryptedPrivateKeyInfo {
public non-sealed class EncryptedPrivateKeyInfo implements DEREncodable {
Copy link

@ExE-Boss ExE-Boss Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that the JEPs12 list EncryptedPrivateKeyInfo as:

public final class EncryptedPrivateKeyInfo { ... }

Footnotes

  1. JEP 470: PEM Encodings of Cryptographic Objects (Preview) § DER‑encodable cryptographic objects

  2. JEP draft: PEM Encodings of Cryptographic Objects (Second Preview) § DER‑encodable cryptographic objects

Copy link
Member

@seanjmullan seanjmullan Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been fixed in the latest versions of the JEPs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

8 more reviewers

@driverkt driverkt driverkt left review comments

@ExE-Boss ExE-Boss ExE-Boss left review comments

@seanjmullan seanjmullan seanjmullan approved these changes

@artur-oracle artur-oracle artur-oracle left review comments

@Krushna948 Krushna948 Krushna948 left review comments

@wangweij wangweij wangweij approved these changes

@mbreinhold mbreinhold mbreinhold approved these changes

@jnimeh jnimeh jnimeh approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

integrated Pull request has been integrated security security-dev@openjdk.org

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.