RFR: JDK-8209129 :Further improvements to cipher buffer management
Seán Coffey
sean.coffey at oracle.com
Wed Aug 22 16:25:41 UTC 2018
Thanks for reviewing. comments inline..
On 22/08/18 15:50, Weijun Wang wrote:
> PBES2Core.java:
>
> 181 byte[] passwdBytes = key.getEncoded();
> 182 char[] passwdChars = null;
> 183 PBEKeySpec pbeSpec;
> 184 try {
> 185 if ((passwdBytes == null) ||
> 186 !(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3))) {
> 187 throw new InvalidKeyException("Missing password");
> 188 }
> ....
> 272 } finally {
> 273 if (passwdChars != null) Arrays.fill(passwdChars, ' ');
> 274 Arrays.fill(passwdBytes, (byte)0x00);
> 275 }
>
> If passwdBytes == null, line 274 would throw an NPE.
Good catch. Corrected.
>
> PBKDF2KeyImpl.java:
>
> 87 char[] passwd = keySpec.getPassword();
> 88 if (passwd == null) {
> 89 // Should allow an empty password.
> 90 this.passwd = new char[0];
> 91 } else {
> 92 this.passwd = passwd.clone();
> 93 }
> 94 // Convert the password from char[] to byte[]
> 95 byte[] passwdBytes = getPasswordBytes(this.passwd);
>
> 96 // remove local copy
> 97 Arrays.fill(passwd, '0');
>
> If passwd == null, line 97 would throw an NPE.
Another good catch!
updated webrev :
http://cr.openjdk.java.net/~coffeys/webrev.8209129.v3/webrev/
regards,
Sean.
>
> Otherwise fine.
>
> Thanks
> Max
>
>
>> On Aug 17, 2018, at 12:53 AM, Seán Coffey <sean.coffey at oracle.com> wrote:
>>
>> Find new webrev here Max :
>>
>> http://cr.openjdk.java.net/~coffeys/webrev.8209129.v2/webrev/
>>
>> regards :
>>
More information about the security-dev
mailing list