RFR: 8353578: Refactor existing usage of internal HKDF impl to use the KDF API [v4]
Bradford Wetmore
wetmore at openjdk.org
Wed May 7 05:03:15 UTC 2025
On Fri, 25 Apr 2025 18:23:14 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> src/java.base/share/classes/com/sun/crypto/provider/DHKEM.java line 260:
>>
>>> 258: if (eae_prk instanceof SecretKeySpec s) {
>>> 259: SharedSecrets.getJavaxCryptoSpecAccess()
>>> 260: .clearSecretKeySpec(s);
>>
>> I wish we could use `s.destroy()` here instead.
>
> Yes, it'd be nice. I reopened https://bugs.openjdk.org/browse/JDK-8160206 and we can address this separately.
Or in the meantime:
} finally {
// Best effort
if (eae_prk instanceof SecretKeySpec) {
SharedSecrets.getJavaxCryptoSpecAccess()
.clearSecretKeySpec(eae_prk);
} else {
try {
eae_prk.destroy();
} catch (DestroyFailedException e) {
// swallow
}
}
}
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2076790901
More information about the security-dev
mailing list