RFR: 8301553: Support Password-Based Cryptography in SunPKCS11 [v3]
Martin Balao
mbalao at openjdk.org
Thu May 18 20:10:10 UTC 2023
On Wed, 17 May 2023 18:45:06 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
>>
>> - Rebase fix after JDK-8306033. Replace called functions with their new names.
>> - 8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #1)
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - 8301553: Support Password-Based Cryptography in SunPKCS11
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>
> src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java line 121:
>
>> 119: keySpec.clearPassword();
>> 120: }
>> 121: SecretKey cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1");
>
> Can clear out the "derivedKey" bytes if no longer needed.
Good
> src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java line 165:
>
>> 163: byte[] derivedKey = s.getEncoded();
>> 164: s.clearPassword();
>> 165: SecretKeySpec cipherKey = new SecretKeySpec(derivedKey, cipherAlgo);
>
> Clear out the "derivedKey" bytes if no longer needed.
Good
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java line 345:
>
>> 343: throw new InvalidKeyException("Encoded format must be RAW");
>> 344: }
>> 345: byte[] encoded = key.getEncoded();
>
> Would be nice to clear out "encoded" bytes afterwards.
Good
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198250758
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198254721
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198256947
More information about the security-dev
mailing list