RFR: 8301553: Support Password-Based Cryptography in SunPKCS11 [v3]

Martin Balao mbalao at openjdk.org
Thu May 18 20:10:10 UTC 2023


On Wed, 17 May 2023 18:45:06 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
>> 
>>  - Rebase fix after JDK-8306033. Replace called functions with their new names.
>>  - 8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #1)
>>    
>>    Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>>    Co-authored-by: Martin Balao <mbalao at redhat.com>
>>  - 8301553: Support Password-Based Cryptography in SunPKCS11
>>    
>>    Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>>    Co-authored-by: Martin Balao <mbalao at redhat.com>
>
> src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java line 121:
> 
>> 119:             keySpec.clearPassword();
>> 120:         }
>> 121:         SecretKey cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1");
> 
> Can clear out the "derivedKey" bytes if no longer needed.

Good

> src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java line 165:
> 
>> 163:         byte[] derivedKey = s.getEncoded();
>> 164:         s.clearPassword();
>> 165:         SecretKeySpec cipherKey = new SecretKeySpec(derivedKey, cipherAlgo);
> 
> Clear out the "derivedKey" bytes if no longer needed.

Good

> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java line 345:
> 
>> 343:                 throw new InvalidKeyException("Encoded format must be RAW");
>> 344:             }
>> 345:             byte[] encoded = key.getEncoded();
> 
> Would be nice to clear out "encoded" bytes afterwards.

Good

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198250758
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198254721
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198256947



More information about the security-dev mailing list