RFR: 8284910: Buffer clean in PasswordCallback [v2]
Xue-Lei Andrew Fan
xuelei at openjdk.java.net
Tue Apr 19 14:39:27 UTC 2022
On Mon, 18 Apr 2022 20:04:05 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Yes, exactly. I'd recommend it calling `cleanable.clean()` prior to storing the new password, so that the cleaning action for the old password is explicitly and immediately unregistered.
>
> Yes, I suppose that is a good enough reason, although this class never had a finalizer AFAIK. Won't there be a small performance hit (perhaps negligible) for code that already calls `clearPassword`? A specification clarification would provide clarity to applications that they do not have to call `clearPassword` in between calls to `setPassword`. Something as simple as: "This method clears the value of any previously stored password before storing the input password".
> If `setPassword` is called twice in succession, should the previous password be cleaned before the new one is assigned and registered?
Awesome, thank you! That what I want to archive while I filed the bug, but did not get an idea about how to clean the existing passwords during cleanup. It's pretty simple and straightforward to get it done in the setPassword.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8272
More information about the security-dev
mailing list