On Thu, 18 May 2023 20:10:04 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java >> line 362: >> >>> 360: session = token.getObjSession(); >>> 361: CK_MECHANISM ckMech; >>> 362: char[] password = keySpec.getPassword(); >> >> Should clear out "password" afterwards. > > Good I've just noticed that in this case in particular we can clean it up here but we need to save a copy in P11PBEKey because if the key has to be transferred to a different P11 token, we need to re-derive from the password, salt and iteration count. This case would happen for example if you have a P11 key from one token and you want to use it in a P11 service from a different token. Code is in P11SecretKeyFactory::convertKey. For safety, I'll clone the password in the P11PBEKey constructor. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1198481207
