RFR: JDK-8209129 :Further improvements to cipher buffer management
Weijun Wang
weijun.wang at oracle.com
Wed Aug 22 14:50:24 UTC 2018
PBES2Core.java:
181 byte[] passwdBytes = key.getEncoded();
182 char[] passwdChars = null;
183 PBEKeySpec pbeSpec;
184 try {
185 if ((passwdBytes == null) ||
186 !(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3))) {
187 throw new InvalidKeyException("Missing password");
188 }
....
272 } finally {
273 if (passwdChars != null) Arrays.fill(passwdChars, ' ');
274 Arrays.fill(passwdBytes, (byte)0x00);
275 }
If passwdBytes == null, line 274 would throw an NPE.
PBKDF2KeyImpl.java:
87 char[] passwd = keySpec.getPassword();
88 if (passwd == null) {
89 // Should allow an empty password.
90 this.passwd = new char[0];
91 } else {
92 this.passwd = passwd.clone();
93 }
94 // Convert the password from char[] to byte[]
95 byte[] passwdBytes = getPasswordBytes(this.passwd);
96 // remove local copy
97 Arrays.fill(passwd, '0');
If passwd == null, line 97 would throw an NPE.
Otherwise fine.
Thanks
Max
> On Aug 17, 2018, at 12:53 AM, Seán Coffey <sean.coffey at oracle.com> wrote:
>
> Find new webrev here Max :
>
> http://cr.openjdk.java.net/~coffeys/webrev.8209129.v2/webrev/
>
> regards :
>
More information about the security-dev
mailing list