RFR: 8258915: Temporary buffer cleanup [v4]
Weijun Wang
weijun at openjdk.java.net
Sat Jan 23 16:34:41 UTC 2021
On Sat, 23 Jan 2021 16:12:43 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/jdk.crypto.ec/share/classes/sun/security/ec/ECPrivateKeyImpl.java line 133:
>>
>>> 131: out.putInteger(1); // version 1
>>> 132: out.putOctetString(sOctets);
>>> 133: Arrays.fill(sOctets, (byte)0);
>>
>> The same handling should apply to line 106 above inside makeEncoding(byte[])?
>
> I'll take a look. The test does not show it. Maybe because of the reversing?
I found out the reason. This method is called during key pair generation but my test only deals with manually crafted keys (so that I know what special bytes to search for). I think I'll need to find out a different test method. This might reveal other leaks in key generation.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2070
More information about the security-dev
mailing list