RFR: 8301553: Support Password-Based Cryptography in SunPKCS11 [v3]
Martin Balao
mbalao at openjdk.org
Fri May 19 02:22:05 UTC 2023
On Thu, 18 May 2023 20:10:04 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java line 362:
>>
>>> 360: session = token.getObjSession();
>>> 361: CK_MECHANISM ckMech;
>>> 362: char[] password = keySpec.getPassword();
>>
>> Should clear out "password" afterwards.
>
> Good
I've just noticed that in this case in particular we can clean it up here but we need to save a copy in P11PBEKey because if the key has to be transferred to a different P11 token, we need to re-derive from the password, salt and iteration count. This case would happen for example if you have a P11 key from one token and you want to use it in a P11 service from a different token. Code is in P11SecretKeyFactory::convertKey. For safety, I'll clone the password in the P11PBEKey constructor.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198481207
More information about the security-dev
mailing list