RFR: 8368073: PKCS11 HKDF can't use byte array IKM in FIPS mode [v2]
Daniel Jeliński
djelinski at openjdk.org
Tue Sep 23 16:16:26 UTC 2025
On Tue, 23 Sep 2025 00:03:18 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line 268:
>>
>>> 266: }
>>> 267:
>>> 268: private long convertKeyToData(byte[] keyBytes) {
>>
>> Check `keyBytes` being non-null?
>
> Consider using `SecretKey` argument instead of `byte[]` so it's clear that `keyBytes` is entirely internal, then add a `finally` block to the `try` block to erase the key encoding, i.e.
>
> + } finally {
> + Arrays.fill(keyBytes, (byte)0);
> + }
Done.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27384#discussion_r2372780641
More information about the security-dev
mailing list