I found another issue related to this topic.
Quite a number of bits of code are printing out the content of the private
exponent of the RSA Private Keys by default into the toString() output, which
could lead to key compromise if they're printed into a log.
share/classes/sun/security/pkcs11/P11Key.java:552: sb.append("\n
private exponent: ");
share/classes/sun/security/pkcs11/P11Key.java:624: sb.append("\n
private exponent: ");
share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java:238:
sb.append("\n private exponent: ");
share/classes/sun/security/rsa/RSAPrivateKeyImpl.java:105: + n +
"\n private exponent: " + d;
Ordinarily I believe FIPS and PCI would require that there isn't any code
sitting around that could accidentally or unexpectedly print out the private
key data. Is this toString() behaving that way for a good reason?
Matthew.
