On Wed, 17 May 2023 18:45:06 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> Martin Balao has updated the pull request with a new target base due to a >> merge or a rebase. The incremental webrev excludes the unrelated changes >> brought in by the merge/rebase. The pull request contains three additional >> commits since the last revision: >> >> - Rebase fix after JDK-8306033. Replace called functions with their new >> names. >> - 8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #1) >> >> Co-authored-by: Francisco Ferrari <fferr...@redhat.com> >> Co-authored-by: Martin Balao <mba...@redhat.com> >> - 8301553: Support Password-Based Cryptography in SunPKCS11 >> >> Co-authored-by: Francisco Ferrari <fferr...@redhat.com> >> Co-authored-by: Martin Balao <mba...@redhat.com> > > src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java > line 121: > >> 119: keySpec.clearPassword(); >> 120: } >> 121: SecretKey cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1"); > > Can clear out the "derivedKey" bytes if no longer needed. Good > src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java line 165: > >> 163: byte[] derivedKey = s.getEncoded(); >> 164: s.clearPassword(); >> 165: SecretKeySpec cipherKey = new SecretKeySpec(derivedKey, >> cipherAlgo); > > Clear out the "derivedKey" bytes if no longer needed. Good > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java > line 345: > >> 343: throw new InvalidKeyException("Encoded format must be >> RAW"); >> 344: } >> 345: byte[] encoded = key.getEncoded(); > > Would be nice to clear out "encoded" bytes afterwards. Good ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198250758 PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198254721 PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198256947