Summary
-------

Update the `getInstance` method for `KEM` to check if a 3rd-party security provider is signed.

Problem
-------

Like other JCE service classes (`Cipher`, `Mac`, `KeyAgreement`, etc), the `KEM` service is able to generate `SecretKey`s that can be used in encryption and decryption. As always, such services, when implemented in a 3rd-party security provider, require the provider to reside in a signed JAR file.

See [the requirement][1] in the Java SE Security Guide.

Solution
--------

Update the `KEM::getInstance` methods to check whether the 3rd-party security provider is signed.

Precisely, if `KEM.getInstance(alg)` (without a provider argument) is called, the implementations in unsigned 3rd-party security providers will be ignored. If there is no signed 3rd-party security providers or JDK builtin providers that provide this KEM algorithm, a `NoSuchAlgorithmException` will be thrown. If `KEM.getInstance(alg, p)` (with a `Provider` argument) is called and the provider is an unsigned 3rd-party security provider, a `SecurityException` will be thrown indicating that the provider cannot be authenticated by JCE. If `KEM.getInstance(alg, "P")` (with a `String` argument as the registered provider's name) is called and the provider is an unsigned 3rd-party security provider, a `NoSuchProviderException` will be thrown indicating that the provider cannot be authenticated by JCE. 

This is consistent with most other existing JCE service classes.

OpenJDK source code does not require 3rd party JCE providers to be signed, but does support a framework (by extending internal APIs) for vendors to optionally add support for it, as Oracle JDK does.

Specification
-------------

The Java SE Security Guide will be updated to include KEM in the existing list of JCE service classes. See https://bugs.openjdk.org/browse/JDK-8322973 for detailed changes.

  [1]: https://docs.oracle.com/en/java/javase/21/security/howtoimplaprovider.html#GUID-AEE5234F-24F1-4899-B490-C79F0C2D8D59