PKCS #11 provider shutdown process, key zeroization
Matthew Hall
mhall at mhcomputing.net
Wed Feb 20 00:59:30 UTC 2013
I found another issue related to this topic.
Quite a number of bits of code are printing out the content of the private
exponent of the RSA Private Keys by default into the toString() output, which
could lead to key compromise if they're printed into a log.
share/classes/sun/security/pkcs11/P11Key.java:552: sb.append("\n private exponent: ");
share/classes/sun/security/pkcs11/P11Key.java:624: sb.append("\n private exponent: ");
share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java:238: sb.append("\n private exponent: ");
share/classes/sun/security/rsa/RSAPrivateKeyImpl.java:105: + n + "\n private exponent: " + d;
Ordinarily I believe FIPS and PCI would require that there isn't any code
sitting around that could accidentally or unexpectedly print out the private
key data. Is this toString() behaving that way for a good reason?
Matthew.
More information about the security-dev
mailing list