-------------- EncryptedPrivateKeyInfo


    /**
     * Create and encrypt an {@code EncryptedPrivateKeyInfo} from a given
     * PrivateKey.  A valid password-based encryption (PBE) algorithm and
     * password must be specified.
     *
     * <p> The PBE algorithm string format details can be found in the
     * <a href="{@docRoot}/../specs/security/standard-names.html#cipher-algorithms">
     * Cipher section</a> of the Java Security Standard Algorithm Names
     * Specification.
     *
     * @param key the PrivateKey object to encrypt.
     * @param password the password used during encryption.
     * @param algorithm the PBE encryption algorithm.  The default algorithm is
     *                  will be used if {@code null}.  However, {@code null} is
     *                  not allowed when {@code params} is non-null.
     * @param params the {@code AlgorithmParameterSpec} to be used with
     *               encryption.  The provider default will be used if
     *               {@code null}.
     * @param provider the {@code Provider} is used for PBE
     *                 {@link SecretKeyFactory} generation and {@link Cipher}
     *                 encryption operations. The default provider list will be
     *                 used if {@code null}.
     * @return an EncryptedPrivateKeyInfo.
     * @throws IllegalArgumentException when an argument causes an
     * initialization error.
     * @throws SecurityException on a cryptographic errors.
     * @throws NullPointerException if the key or password are null. Also, if
     * {@code params} is non-null when {@code algorithm} is {@code null}.
     *
     * @implNote The encryption uses the algorithm set by
     * `jdk.epkcs8.defaultAlgorithm` Security Property
     *  and default the {@code AlgorithmParameterSpec} of that provider.
     *
     * @since 25
     */
    public static EncryptedPrivateKeyInfo encryptKey(PrivateKey key,
        char[] password, String algorithm, AlgorithmParameterSpec params,
        Provider provider)


    /**
     * Creates and encrypts an {@code EncryptedPrivateKeyInfo} from a given
     * {@code PrivateKey} and password.  Default algorithm and parameters are
     * used.
     *
     * @param key The {@code PrivateKey} object to encrypt.
     * @param password the password used in the PBE encryption.  This array is
     *                 cloned before being used.
     * @return an {@code EncryptedPrivateKeyInfo}.
     * @throws IllegalArgumentException on initialization errors based on the
     * arguments passed to the method.
     * @throws SecurityException on a encryption errors.
     * @throws NullPointerException when the password is null.
     *
     * @implNote The `jdk.epkcs8.defaultAlgorithm` Security Property defines
     * the default encryption algorithm and the {@code AlgorithmParameterSpec}
     * are the provider's algorithm defaults.
     *
     * @since 25
     */
    public static EncryptedPrivateKeyInfo encryptKey(PrivateKey key,
        char[] password) 


    /**
     * Creates and encrypts an {@code EncryptedPrivateKeyInfo} from a given
     * {@link PrivateKey} using the {@code encKey} and given parameters.
     *
     * @param key is the {@code PrivateKey} to be encrypted.
     * @param encKey the password-based encryption (PBE) {@code Key} used to
     *              encrypt {@code key}.
     * @param algorithm the PBE encryption algorithm.  The default algorithm is
     *                 will be used if {@code null}.  However, {@code null} is
     *                 not allowed when {@code params} is non-null.
     * @param params the {@code AlgorithmParameterSpec} to be used with
     *               encryption. The provider list default will be used if
     *               {@code null}.
     * @param random the {@code SecureRandom} instance used during
     *               encryption.  The default will be used if {@code null}.
     * @param provider the {@code Provider} is used for {@link Cipher}
     *                encryption operation.  The default provider list will be
     *                 used if {@code null}.
     * @return an {@code EncryptedPrivateKeyInfo}.
     * @throws IllegalArgumentException on initialization errors based on the
     *                                  arguments passed to the method.
     * @throws SecurityException on an encryption errors.
     * @throws NullPointerException if the key or password are null. Also, if
     * {@code params} is non-null when {@code algorithm} is {@code null}.
     *
     * @implNote The `jdk.epkcs8.defaultAlgorithm` Security Property defines
     * the default encryption algorithm and the {@code AlgorithmParameterSpec}
     * are the provider's algorithm defaults.

     * @since 25
     */
    public static EncryptedPrivateKeyInfo encryptKey(PrivateKey key, Key encKey,
        String algorithm, AlgorithmParameterSpec params, Provider provider,
        SecureRandom random) 



    /**
     * Returns a {@code PrivateKey} from the encrypted data in this instance.
     *
     * @param password this array is cloned and used for PBE decryption.
     *                 {@code null} may be used.
     * @return a {@code PrivateKey}
     * @throws InvalidKeyException if an error occurs during parsing of the
     * encrypted data or creation of the key object.
     *
     * @since 25
     */
    public PrivateKey getKey(char[] password) throws InvalidKeyException


    /**
     * Returns a {@code PrivateKey} from the encrypted data in this instance.
     * using the given provider.
     *
     * @param password this array is cloned and used for PBE decryption.
     *                 {@code null} may be used.
     * @param provider this {@code Provider} is used for all key generations.
     *                 It is used when generating the PBE encryption key,
     *                 {@code SecretKeyFactory}, and the {@code PrivateKey},
     *                 {@code KeyFactory}.  A {@code null} value will use the default
     *                 provider configuration.
     * @return a {@code PrivateKey}
     * @throws InvalidKeyException if an error occurs during parsing of the
     * encrypted data or creation of the key object.
     *
     * @since 25
     */
    public PrivateKey getKey(char[] password, Provider provider)
        throws InvalidKeyException 


    /**
     * Returns a {@code PrivateKey} from the encrypted data in this instance.
     * using the given provider.
     *
     * @param decryptKey this is the decryption key and cannot be {@code null}.
     * @param provider this {@code Provider} is used for all key generations.
     *                 It is used when generating the PBE encryption key,
     *                 {@code SecretKeyFactory}, and the {@code PrivateKey},
     *                 {@code KeyFactory}.  A {@code null} value will use the default
     *                 provider configuration.
     * @return a {@code PrivateKey}
     * @throws InvalidKeyException if an error occurs during parsing of the
     * encrypted data or creation of the key object.
     * @throws NullPointerException if {@code key} is null.
     *
     * @since 25
     */
    public PrivateKey getKey(Key decryptKey, Provider provider)
        throws InvalidKeyException



-------- AsymmetricKey

-  public interface AsymmetricKey extends Key {
+  public non-sealed interface AsymmetricKey extends Key, DEREncodable {


-------- KeyPair

-  public final class KeyPair implements java.io.Serializable {
+  public final class KeyPair implements java.io.Serializable, DEREncodable {


-------- X509CRL

-  public abstract class X509CRL extends CRL implements X509Extension {
+  public abstract non-sealed class X509CRL extends CRL implements X509Extension,
+      DEREncodable {


-------- X509Certificate


-  public abstract class X509Certificate extends Certificate
-  implements X509Extension {
+  public abstract non-sealed class X509Certificate extends Certificate
+      implements X509Extension, DEREncodable {


-------- PKCS8EncodedKeySpec

 /**
  * This class represents the ASN.1 encoding of a private key,
  * encoded according to the ASN.1 type {@code PrivateKeyInfo}.
  * The {@code PrivateKeyInfo} syntax is defined in the PKCS#8 standard
  * as follows:
  *
  * <pre>
  * PrivateKeyInfo ::= SEQUENCE {
  *   version Version,
  *   privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
  *   privateKey PrivateKey,
- *   attributes [0] IMPLICIT Attributes OPTIONAL }
+ *   attributes       [0] IMPLICIT Attributes OPTIONAL,
+ *   ...,
+ *   [[2: publicKey  [1] PublicKey OPTIONAL ]],
+ *   ...
+ * }
+ *
+ * PrivateKeyInfo ::= OneAsymmetricKey
  *
- * Version ::= INTEGER
+ * Version ::= INTEGER { v1(0), v2(1) }
  *
  * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
  *
  * PrivateKey ::= OCTET STRING
  *
+ * PublicKey ::= BIT STRING
+ *
  * Attributes ::= SET OF Attribute
  * </pre>
  *
  * @author Jan Luehe
  *
  *
  * @see java.security.Key
  * @see java.security.KeyFactory
  * @see KeySpec
  * @see EncodedKeySpec
  * @see X509EncodedKeySpec
  *
+ * @spec https://www.rfc-editor.org/info/rfc5958
+ *     RFC 5958: Asymmetric Key Packages
+ *
  * @since 1.2
  */

-  public class PKCS8EncodedKeySpec extends EncodedKeySpec {
+  public final class PKCS8EncodedKeySpec extends EncodedKeySpec implements
+      DEREncodable {


-------- X509EncodedKeySpec


-  public class X509EncodedKeySpec extends EncodedKeySpec {
+  public final class X509EncodedKeySpec extends EncodedKeySpec implements
+      DEREncodable {


---------- EncodedKeySpec

    
    /**
     * Creates a new {@code EncodedKeySpec} with the given encoded key.
  +  * This constructor extracts the algorithm name from the encoded bytes,
  +  * which may be an OID if no standard algorithm name is defined. If the
  +  * algorithm name cannot be extracted, it is set to null.
     *
     * @param encodedKey the encoded key. The contents of the
     * array are copied to protect against subsequent modification.
     * @throws NullPointerException if {@code encodedKey}
     * is null.
     */
    public EncodedKeySpec(byte[] encodedKey)