RFR: 8284910: Buffer clean in PasswordCallback [v2]

Xue-Lei Andrew Fan xuelei at openjdk.java.net
Tue Apr 19 15:25:22 UTC 2022


On Tue, 19 Apr 2022 14:35:37 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> Yes, I suppose that is a good enough reason, although this class never had a finalizer AFAIK. Won't there be a small performance hit (perhaps negligible) for code that already calls `clearPassword`? A specification clarification would provide clarity to applications that they do not have to call `clearPassword` in between calls to `setPassword`. Something as simple as: "This method clears the value of any previously stored password before storing the input password".
>
>> If `setPassword` is called twice in succession, should the previous password be cleaned before the new one is assigned and registered?
> 
> Awesome, thank you!  That what I want to archive while I filed the bug, but did not get an idea about how to clean the existing passwords  during cleanup.  It's pretty simple and straightforward to get it done in the setPassword.

> Won't there be a small performance hit (perhaps negligible) for code that already calls clearPassword? 

The impact should be minimal.  If clearPassword() has been called, the cleanup (Cleanerable.clean()) won't happen again in the finalization or setPassword cleanup. 

> A specification clarification would provide clarity to applications that they do not have to call clearPassword in between calls to setPassword. 

As far as I know from the JDK code, it might be not common to call clearPassword in between calls to setPassword.  I would like to have applications calling clearPassword() methods as before, if it is not missed, to speed up the collection rather than rely on finalization.

The relationship among setPassword, getPassword and clearPassword() is complicated.  I fully agree that the spec should be clarified.  I would like to have the clarify update in another PR, and have this one focus on cleanup if an application forget to call clearPassword properly.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8272



More information about the security-dev mailing list