Hi Matthew,
I reached out to you outside this list not long ago. We have not forgot about
you. ;o)
Can you quickly enumerate your concerns (#1, #2, etc)? They seem mostly
related to zeroization. I just want to be sure we capture all your concerns
and don't miss any.
Regards,
Milton
On Mar 18, 2013, at 1:05 PM, Matthew Hall <mh...@mhcomputing.net> wrote:
> Hello,
>
> Can anyone please respond to my feedback on the PKCS #11 provider? It's been
> one month since I posted about several potential issues with the code. I
> would
> like to hear from someone with the necessary expertise. The OpenJDK process
> isn't very community-friendly if nobody will try to reply.
>
> Thanks,
> Matthew Hall.
>
> On Tue, Feb 19, 2013 at 04:59:29PM -0800, Matthew Hall wrote:
>> I found another issue related to this topic.
>>
>> Quite a number of bits of code are printing out the content of the private
>> exponent of the RSA Private Keys by default into the toString() output,
>> which
>> could lead to key compromise if they're printed into a log.
>>
>> share/classes/sun/security/pkcs11/P11Key.java:552: sb.append("\n
>> private exponent: ");
>> share/classes/sun/security/pkcs11/P11Key.java:624: sb.append("\n
>> private exponent: ");
>> share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java:238:
>> sb.append("\n private exponent: ");
>> share/classes/sun/security/rsa/RSAPrivateKeyImpl.java:105: +
>> n + "\n private exponent: " + d;
>>
>> Ordinarily I believe FIPS and PCI would require that there isn't any code
>> sitting around that could accidentally or unexpectedly print out the private
>> key data. Is this toString() behaving that way for a good reason?
>>
>> Matthew.
