On Wed, 17 May 2023 18:45:06 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> Martin Balao has updated the pull request with a new target base due to a
>> merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains three additional
>> commits since the last revision:
>>
>> - Rebase fix after JDK-8306033. Replace called functions with their new
>> names.
>> - 8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #1)
>>
>> Co-authored-by: Francisco Ferrari <fferr...@redhat.com>
>> Co-authored-by: Martin Balao <mba...@redhat.com>
>> - 8301553: Support Password-Based Cryptography in SunPKCS11
>>
>> Co-authored-by: Francisco Ferrari <fferr...@redhat.com>
>> Co-authored-by: Martin Balao <mba...@redhat.com>
>
> src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java
> line 121:
>
>> 119: keySpec.clearPassword();
>> 120: }
>> 121: SecretKey cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1");
>
> Can clear out the "derivedKey" bytes if no longer needed.
Good
> src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java line 165:
>
>> 163: byte[] derivedKey = s.getEncoded();
>> 164: s.clearPassword();
>> 165: SecretKeySpec cipherKey = new SecretKeySpec(derivedKey,
>> cipherAlgo);
>
> Clear out the "derivedKey" bytes if no longer needed.
Good
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
> line 345:
>
>> 343: throw new InvalidKeyException("Encoded format must be
>> RAW");
>> 344: }
>> 345: byte[] encoded = key.getEncoded();
>
> Would be nice to clear out "encoded" bytes afterwards.
Good
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198250758
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198254721
PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198256947
