On Thu, 18 Feb 2021 05:03:58 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> Weijun Wang has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> materials
>
> src/java.base/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
> line 97:
>
>> 95: } finally {
>> 96: Arrays.fill(masterSecret, (byte)0);
>> 97: }
>
> It seems that for other Tls* classes, the Arrays.fill(...) call is still
> inside each method instead of being moved up a level. Just curious why this
> is done differently?
The `engineGenerateKey0` method is quite long and I don't want to wrap
everything in a big try-finally block, so I move it a little higher. Now
`masterSecret` is still created and cleaned in the same method.
> src/java.base/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
> line 186:
>
>> 184: serverMacKey = new SecretKeySpec(tmp, "Mac");
>> 185:
>> 186: Arrays.fill(tmp, (byte)0);
>
> It looks like you can use the SecretKeySpec(byte[], int, int, String) to
> simplify the code at line 175-186. Essentially, the code block does:
> clientMacKey = new SecretKeySpec(keyBlock, ofs, macLength, "Mac");
> ofs += macLength;
> serverMacKey = new SecretKeySpec(keyBlock, ofs, macLength, "Mac");
Good idea.
> src/java.base/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
> line 220:
>
>> 218: System.arraycopy(keyBlock, ofs, tmp, 0, ivLength);
>> 219: ofs += ivLength;
>> 220: serverIv = new IvParameterSpec(tmp);
>
> Seems easier to just use the IvParameterSpec(byte[], int, int) constructor?
Yes.
> src/java.base/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
> line 251:
>
>> 249: clientIv = new IvParameterSpec(tmp);
>> 250: System.arraycopy(block, ivLength, tmp, 0,
>> ivLength);
>> 251: serverIv = new IvParameterSpec(tmp);
>
> Again, consider using IvParameterSpec(byte[], int, int) and get rid of tmp?
Yes.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2070
