PKCS #11 provider shutdown process, key zeroization

[Matthew Hall]

Hello,

Can anyone please respond to my feedback on the PKCS #11 provider? It's been 
one month since I posted about several potential issues with the code. I would 
like to hear from someone with the necessary expertise. The OpenJDK process 
isn't very community-friendly if nobody will try to reply.

Thanks,
Matthew Hall.

On Tue, Feb 19, 2013 at 04:59:29PM -0800, Matthew Hall wrote:
> I found another issue related to this topic.
> 
> Quite a number of bits of code are printing out the content of the private 
> exponent of the RSA Private Keys by default into the toString() output, which 
> could lead to key compromise if they're printed into a log.
> 
> share/classes/sun/security/pkcs11/P11Key.java:552:            sb.append("\n  private exponent: ");
> share/classes/sun/security/pkcs11/P11Key.java:624:            sb.append("\n  private exponent: ");
> share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java:238:        sb.append("\n  private exponent: ");
> share/classes/sun/security/rsa/RSAPrivateKeyImpl.java:105:                + n + "\n  private exponent: " + d;
> 
> Ordinarily I believe FIPS and PCI would require that there isn't any code 
> sitting around that could accidentally or unexpectedly print out the private 
> key data. Is this toString() behaving that way for a good reason?
> 
> Matthew.