Meta tags:
description= Java 25 previews an API that transforms PEM (Privacy-Enhanced Mail) texts into cryptographic objects like public or private keys, certificates, and certification lists and vice versa.;
Headings (most frequently used words):
pem, java, and, 25, encodes, inside, newscast, 93, texts, api, basics, derencodable, pemrecord, private, keys, passwords, decoding, to, specific, types,
Text of the page (most frequently used words):
the (52), java (51), and (50), pem (43), that (29), you (26), this (16), pemdecoder (15), derencodable (15), with (15), project (14), cryptographic (13), for (13), api (12), #pemrecord (12), decode (12), texts (11), instance (11), string (10), can (10), key (10), private (10), new (9), password (9), pemencoder (9), keys (9), types (8), decoding (8), byte (8), them (7), text (7), encryptedprivatekeyinfo (7), encode (7), like (7), objects (7), over (6), specific (6), type (6), get (6), such (6), use (6), public (6), privacy (5), are (5), your (5), header (5), then (5), what (5), privatekey (5), into (5), when (5), content (5), there (5), inside (5), basics (5), community (5), junit (5), github (4), jdk (4), list (4), class (4), object (4), decoded (4), case (4), keypair (4), switch (4), provider (4), decoder (4), already (4), encoding (4), var (4), encoded (4), have (4), x509certificate (4), but (4), cert (4), various (4), newscast (4), core (4), code (4), youtube (3), ramp (3), lists (3), its (3), all (3), access (3), publickey (3), back (3), how (3), has (3), default (3), where (3), pattern (3), matching (3), turn (3), etc (3), encoder (3), encodetostring (3), passwords (3), der (3), call (3), example (3), record (3), while (3), getencoded (3), openjdk (3), libraries (3), platforms (3), watch (3), follow (3), share (3), encodes (3), libs (3), pioneer (3), demos (3), streams (3), clean (3), license (2), rss (2), stackoverflow (2), twitch (2), discord (2), mastodon (2), bluesky (2), see (2), again (2), two (2), weeks (2), long (2), mentioned (2), preview (2), now (2), included (2), any (2), give (2), each (2), one (2), ago (2), expect (2), course (2), don (2), also (2), explicitly (2), even (2), methods (2), input (2), stream (2), return (2), general (2), handle (2), upgrading (2), algo (2), params (2), encryptedkey (2), encryptedkey2 (2), key2 (2), instanceof (2), bytearrayinputstream (2), char (2), want (2), encrypt (2), better (2), returns (2), withencryption (2), instances (2), only (2), consider (2), because (2), array (2), pkcs10text (2), pkcs10 (2), leadingdata (2), platform (2), few (2), way (2), data (2), base64 (2), body (2), certification (2), process (2), well (2), here (2), watching (2), first (2), out (2), word (2), unfortunately (2), iso (2), 8859 (2), classes (2), very (2), vice (2), versa (2), wide (2), range (2), which (2), just (2), most (2), these (2), from (2), binary (2), format (2), without (2), development (2), today (2), previews (2), let (2), take (2), closer (2), look (2), applications (2), devices (2), certificate (2), used (2), enhanced (2), mail (2), begin (2), end (2), textual (2), representation (2), certificates (2), five (2), dashes (2), active (2), space (2), notified (2), publish (2), post (2), videos (2), about (2), talks (2), libfx (2), args (2), year (2), tools (2), techniques (2), serialization (2), reflection (2), records (2), valhalla (2), panama (2), loom (2), leyden (2), amber (2), performance (2), patterns (2), optional (2), migration (2), meta (2), maven (2), lambda (2), javafx (2), next (2), j_ms (2), generics (2), dop (2), documentation (2), deprecation (2), collections (2), architecture (2), tags (2), works (2), javascript (2), contact, imprint, since, down, phase, feature, freeze, everything, other, improvements, interesting, try, experiments, pop, something, noteworthy, sure, report, mailing, jep, corresponding, top, went, current, early, builds, decodedkey, decodedpem, alternatively, subtype, pass, overload, exception, line, request, rec, illegalargumentexception, throw, accept, intended, know, represents, resolve, simply, error, remaining, ones, getkey, encryptkey, algorithmparameterspec, non, parameters, algorithms, encryption, providers, need, existed, before, was, extended, interact, idea, additional, information, algorithm, starts, turned, correct, incantation, handling, decrypt, uses, whereas, still, unencrypted, too, calling, instead, gives, more, control, lifecycle, will, represent, ask, minutes, may, precedes, preceding, last, captures, doesn, pkcs, requests, thus, enabling, indeed, three, components, curious, x509crl, x509encodedkeyspec, pkcs8encodedkeyspec, subtypes, dsa, rsa, asymmetrickey, actually, could, read, quickly, turns, salad, stop, making, lunch, folding, laundry, whatever, else, doing, newscasts, glance, screen, moment, satisfy, curiosity, details, cert2, either, create, respective, static, factory, method, immutable, reusable, thread, safe, basic, straightforward, transform, empty, sealed, interface, capable, extend, aptly, named, design, options, bridge, gap, introduces, goes, alternative, designs, their, shortcomings, recommend, diving, topic, near, dear, skip, focus, chosen, solution, enhancement, proposal, 470, encodedpublic, encodedprivate, encodedcert, throws, certificateencodingexception, getprivate, getpublic, provides, building, blocks, fundamental, abilities, convert, themselves, make, bodies, capabilities, strewn, around, unrelated, uniform, clearly, purpose, batteries, should, allow, does, manual, bit, tricky, extensions, survey, april, 2022, confirmed, lack, easy, pain, point, set, fix, promises, importantly, send, receive, via, user, interfaces, network, storage, hardware, authentication, yubikeys, security, sensitive, openssh, openssl, authorities, short, tell, seen, left, context, behind, nowadays, services, mfkwewyhkozizj0caqyikozizj, 0daqcdqgaei, krgol7wcptn4kj, 2ppest5uyb6ucpjjukdtftxbgu, oifddz65o, 8htuqs, svzrf, dg7, tkq, 36kdtuadbwq, specified, rfc, 7468, revocation, likely, uploaded, ssh, pgp, artifact, repositories, they, footer, start, respectively, description, being, followed, another, welcome, everyone, cover, recent, developments, nicolai, parlog, developer, advocate, oracle, gonna, why, important, ready, dive, right, toc, table, contents, policy, cookie, remember, always, embed, transforms, video, 2025, slides, upcoming, past, schedule, recordings, virtual, threads, vector, structured, concurrency, lilliput, galahad, babylon, conversation, book, club, jms, newsletter, blog, posts, testing, rant, jigsaw, jdeps, impulse, lang, review, comments, words, site, enabled, nipafx,
Text of the page (random words):
java 25 encodes pem inside java newscast 93 nipafx this site works well without javascript but it works even better with javascript enabled bluesky mastodon discord youtube twitch github stackoverflow rss words tags architecture clean code clean comments code review collections community core lang core libs default methods deprecation documentation dop generics impulse j_ms java 10 java 11 java 12 java 13 java 16 java 17 java 18 java 20 java 23 java 24 java 25 java 26 java 27 java 8 java 9 java basics java next javafx jdeps js junit 5 junit pioneer lambda libfx libraries maven meta migration on ramp optional pattern matching patterns performance project amber project jigsaw project leyden project loom project panama project valhalla rant record args records reflection serialization streams switch techniques testing tools turn of the year var blog posts newsletter the jms videos tags ai architecture book club clean code collections community conversation core libs deprecation documentation dop generics j_ms java 10 java 11 java 12 java 16 java 17 java 18 java 19 java 21 java 22 java 23 java 24 java 25 java 26 java 8 java 9 java basics java next javafx junit 5 junit pioneer lambda libraries maven meta migration on ramp openjdk optional pattern matching patterns performance project amber project babylon project galahad project leyden project lilliput project loom project panama project valhalla records reflection serialization streams structured concurrency switch techniques tools turn of the year var vector virtual threads recordings streams schedule code demos demos demos junit pioneer record args libfx talks my talks past upcoming slides about about me license privacy 2025 06 19 java 25 encodes pem inside java newscast 93 video core libs java 25 java 25 previews an api that transforms pem privacy enhanced mail texts into cryptographic objects like public or private keys certificates and certification lists and vice versa always embed videos and give me a cookie to remember privacy policy watch on youtube java 25 encodes pem inside java newscast 93 table of contents pem texts pem api basics derencodable and pemrecord private keys and passwords decoding to specific types share follow share this post with your community i m active on various platforms watch this space or follow me there to get notified when i publish new content toc pem texts pem api basics derencodable and pemrecord private keys and passwords decoding to specific types s f share this post with your community i m active on various platforms watch this space or follow me there to get notified when i publish new content welcome everyone to the inside java newscast where we cover recent developments in the openjdk community i m nicolai parlog java developer advocate at oracle and today we re gonna take a closer look at an api that has its first preview in java 25 encoding and decoding pem texts what s a pem why is this important and how do you use that api we ll get to all that ready then let s dive right in pem texts pem is specified by rfc 7468 it s a textual representation of cryptographic objects like private and public keys certificates and certificate revocation lists you ve very likely already used pem texts for example when you uploaded ssh or pgp keys to github or artifact repositories they have a header and footer that each start with five dashes the word begin or end respectively a textual description of what s being encoded for example public key followed by another five dashes the text s body is the cryptographic object s base64 encoded binary representation begin public key mfkwewyhkozizj0caqyikozizj 0daqcdqgaei krgol7wcptn4kj 2ppest5uyb6ucpjjukdtftxbgu oifddz65o 8htuqs svzrf dg7 h3 tkq 36kdtuadbwq end public key pem is short for privacy enhanced mail but as you can tell by where you ve seen them the format has left that context behind long ago nowadays it s used by a wide range of services development platforms like github certificate authorities cryptographic libraries such as openssl security sensitive applications such as openssh hardware authentication devices such as yubikeys and most importantly in your applications to send and receive cryptographic objects via user interfaces over the network to and from storage devices etc so clearly a general purpose batteries included development platform like java should allow encoding and decoding cryptographic objects as pem texts and it does that already today but the process is manual and a bit tricky and the java cryptographic extensions survey in april 2022 confirmed the lack of an easy to use api as a pain point so openjdk set out to fix this and previews an api in java 25 that promises just that let s take a closer look pem api basics as i just mentioned java already provides the building blocks for pem en and decoding and the most fundamental one of these is the various cryptographic objects abilities to convert themselves to and from binary data in the der format which make up the pem texts bodies unfortunately these capabilities are strewn around various unrelated types like keypair and x509certificate without a uniform way to access them keypair kp byte encodedpublic kp getpublic getencoded byte encodedprivate kp getprivate getencoded x509certificate cert throws certificateencodingexception byte encodedcert cert getencoded there s a wide range of design options that can bridge this gap and jdk enhancement proposal 470 which introduces this api goes over a list of alternative designs and their shortcomings that i recommend diving into if this topic is near and dear to you here i ll skip them and focus on the chosen solution an empty sealed interface that all der encoding capable types extend aptly named derencodable the classes pemencoder and pemdecoder that transform derencodable instances to pem texts and vice versa the encoder and decoder classes are immutable reusable and thread safe and the basic use of this api is very straightforward create an encoder or a decoder with the respective static factory method of call pemencoder encode or encodetostring with a derencodable instance to get a pem text as either an iso 8859 1 byte array or as a string and then call decode with a pem text as string or iso 8859 1 encoded input stream to get a derencodable instance back x509certificate cert pemencoder pe pemencoder of string pem pe encodetostring cert pemdecoder pd pemdecoder of derencodable cert2 pd decode pem there are of course a few details to consider that we ll go over now derencodable and pemrecord first what types are actually derencodable i could read out the list but that quickly turns into word salad so you ll unfortunately have to stop making lunch or folding laundry or whatever else you re doing while watching inside java newscasts and glance at the screen for a moment to satisfy your curiosity asymmetrickey with subtypes for private public keys for dh dsa ec rsa etc keypair pkcs8encodedkeyspec x509encodedkeyspec encryptedprivatekeyinfo x509certificate x509crl pemrecord and while i have you here i m curious what do you do while watching the last class on that list pemrecord is new it captures the pem texts of cryptographic objects that the jdk doesn t have a type for such as pkcs 10 certification requests thus enabling you to process them as well pemrecord is indeed a record with three components string type the header text like private key for example string content the base64 encoded pem body byte leadingdata that s any content preceding the pem header a decode call will return a pemrecord if there s no java platform type to represent the cryptographic object or if you explicitly ask for this type we ll see how in a few minutes you may want to do that because it s the only way to access the data that precedes the pem header string pkcs10text pemdecoder pd pemdecoder of derencodable pkcs10 pd decode pkcs10text if pkcs10 instanceof pemrecord pem var der pem content var dt pem leadingdata private keys and passwords when handling private keys you can encrypt and decrypt them by upgrading the encoder and decoder to new instances that use a password a pemencoder that uses a password can only encode private keys whereas such a pemdecoder can still decode unencrypted objects too when encoding a private key consider calling encode instead of encodetostring because encode returns a byte array and that gives you more control over its lifecycle privatekey key char password pemencoder pe pemencoder of withencryption password byte pem pe encode key pemdecoder pd pemdecoder of withencryption password derencodable key2 pd decode new bytearrayinputstream pem if you want to encrypt with non default parameters algorithms or encryption providers you need to use an instance of encryptedprivatekeyinfo this class already existed before the pem api and was extended to better interact with it the idea is to turn an instance of privatekey into an instance of encryptedprivatekeyinfo with additional information like password algorithm etc and then encode that to a pem text decoding then starts with that text and returns an instance of encryptedprivatekeyinfo that can be turned back into a privatekey with the correct incantation privatekey key char password string algo algorithmparameterspec params provider provider encryptedprivatekeyinfo encryptedkey encryptedprivatekeyinfo encryptkey key password algo params provider pemencoder pe pemencoder of byte pem pe encode encryptedkey pemdecoder pd pemdecoder of derencodable encryptedkey2 pd decode new bytearrayinputstream pem if encryptedkey2 instanceof encryptedprivatekeyinfo e privatekey key2 e getkey password you can also use a specific cryptographic provider for decoding by again upgrading the decoder to a new instance decoding to specific types the pemdecoder s decode methods that accept a string or input stream return an instance of derencodable this is intended for the general case where you don t know what cryptographic object the pem text represents and you can resolve that with pattern matching simply switch over the decoded instance handle the types you expect and error handle the remaining ones string pem pemdecoder pd pemdecoder of derencodable decoded pd decode pem switch decoded case publickey key case keypair kp case pemrecord rec default throw new illegalargumentexception alternatively if you expect a specific subtype of derencodable you can pass that type to an overload of decode and then get back such an instance or an exception of course if the types don t line up this is also how you can explicitly request a cryptographic object to be decoded to a pemrecord instance even if the jdk has a specific type for it string pem pemdecoder pd pemdecoder of publickey decodedkey pd decode pem publickey class pemrecord decodedpem pd decode pem pemrecord class as mentioned this api is in preview in jdk 25 since we re now in ramp down phase 1 and 25 is in feature freeze everything new is included in the current early access builds so if pem texts or any of the other improvements i went over all of them two weeks ago are interesting to you give them a try and if your experiments pop up something noteworthy be sure to report it to the mailing list each jep lists the corresponding one up top in its header i ll see you again in two weeks so long bluesky mastodon discord youtube twitch github stackoverflow rss imprint privacy contact license
|