RFR: 8370082: Intermediate objects clean up in ECDH, XDH, DHKEM, and HKDF [v2]
Weijun Wang
weijun at openjdk.org
Wed Oct 22 14:38:03 UTC 2025
On Wed, 22 Oct 2025 14:02:32 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Weijun Wang has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - do not store key as bytes in XDH
>> - add ECDH and XDH
>
> src/java.base/share/classes/com/sun/crypto/provider/DHKEM.java line 92:
>
>> 90: } finally {
>> 91: if (key != null) {
>> 92: Arrays.fill(key, (byte)0);
>
> It's not immediately obvious to the caller that the key is being cloned in `SecretKeySpec` constructor. I think a short comment explaining what we are doing would be helpful here and below.
// `key` has been cloned into the `SecretKeySpec` within the
// returned `KEM.Encapsulated`, so it can now be cleared.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27921#discussion_r2452326250
More information about the security-dev
mailing list