RFR: 8284910: Buffer clean in PasswordCallback [v2]
Stuart Marks
smarks at openjdk.java.net
Mon Apr 18 19:30:39 UTC 2022
On Mon, 18 Apr 2022 19:10:44 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> What about code that is already calling `clearPassword` between calls to `setPassword`? This seems to be a change in the design of this API. The `clearPassword` method is there to allow callers to manage and clear the passwords itself.
>
> I think its "belt and suspenders".
> If the caller does not call `clearPassword` before calling a second `setPassword,` the previous char array will still contain the previous password and remain uncleared in memory for a (longer) indeterminate time.
> It is fulfilling the same purpose as the original finalizer.
Yes, exactly. I'd recommend it calling `cleanable.clean()` prior to storing the new password, so that the cleaning action for the old password is explicitly and immediately unregistered.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8272
More information about the security-dev
mailing list