RFR: 8284910: Buffer clean in PasswordCallback [v4]

Sean Mullan mullan at openjdk.java.net
Mon Apr 25 20:45:59 UTC 2022


On Thu, 21 Apr 2022 06:55:22 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> Please review this password cleanup enhancement in the PasswordCallback implementation.  This is one of the effort to clean up the buffered passwords.
>> 
>> The PasswordCallback.setPassword() clones the password, but is not registered for cleanup. An application could call clearPassword() for the purpose, but it would be nice to cleanup the buffer as well if clearPassword() was not called in an application. And, if the setPassword() get called multiple times, the clearPassword() should also be called the same times if not relying on finalization. It could be fragile in practice.
>
> Xue-Lei Andrew Fan has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Code clean up per feedback

test/jdk/javax/security/auth/callback/PasswordCleanup.java line 58:

> 56:     }
> 57: 
> 58:     private static void clearWithMethod() throws Exception {

This looks like the exact same test as `clearAtCollection`.

test/jdk/javax/security/auth/callback/PasswordCleanup.java line 74:

> 72:     }
> 73: 
> 74:     private static void checkClearing() throws Exception {

How is this test testing that the password is cleared?

test/jdk/javax/security/auth/callback/PasswordCleanup.java line 83:

> 81:         // Check if the object has been collected.
> 82:         if (weakHashMap.size() > 0) {
> 83:             throw new RuntimeException("GSSName object is not released");

Did you mean to say "PasswordCallback object is not released"?

-------------

PR: https://git.openjdk.java.net/jdk/pull/8272


More information about the security-dev mailing list