Hello,
Can anyone please respond to my feedback on the PKCS #11 provider? It's been
one month since I posted about several potential issues with the code. I would
like to hear from someone with the necessary expertise. The OpenJDK process
isn't very community-friendly if nobody will try to reply.
Thanks,
Matthew Hall.
On Tue, Feb 19, 2013 at 04:59:29PM -0800, Matthew Hall wrote:
> I found another issue related to this topic.
>
> Quite a number of bits of code are printing out the content of the private
> exponent of the RSA Private Keys by default into the toString() output, which
> could lead to key compromise if they're printed into a log.
>
> share/classes/sun/security/pkcs11/P11Key.java:552: sb.append("\n
> private exponent: ");
> share/classes/sun/security/pkcs11/P11Key.java:624: sb.append("\n
> private exponent: ");
> share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java:238:
> sb.append("\n private exponent: ");
> share/classes/sun/security/rsa/RSAPrivateKeyImpl.java:105: + n
> + "\n private exponent: " + d;
>
> Ordinarily I believe FIPS and PCI would require that there isn't any code
> sitting around that could accidentally or unexpectedly print out the private
> key data. Is this toString() behaving that way for a good reason?
>
> Matthew.
