RFR: 8315944: SunJCE provider should not zeroize the deserialized key values
Valerie Peng
valeriep at openjdk.org
Fri Sep 22 19:14:20 UTC 2023
On Wed, 20 Sep 2023 21:56:50 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
> This PR reverts part of the changes under JDK-8312306 which zero-out the deserialized key bytes after an internal copy has been made. If considering the deserialized key bytes as input arguments, such cleaning action may be too aggressive. Thus, on second thought, I am reverting to earlier behavior. No regression test since the changes are trivial.
>
> Thanks!
> Valerie
Based on feedbacks from the corelib team, these serialized bytes are only used internally and zero them out should be safe and won't cause any breakage/undesirable side-effects. Thus, this PR is withdrawn. Thanks Max and Brad for helping to review.
Withdraw
-------------
PR Comment: https://git.openjdk.org/jdk/pull/15848#issuecomment-1731920414
PR Comment: https://git.openjdk.org/jdk/pull/15848#issuecomment-1731921380
More information about the security-dev
mailing list