--- a/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java Fri Aug 03 11:06:10 2018 +0200
+++ b/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java Fri Aug 03 14:14:59 2018 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@
import java.security.MessageDigest;
import java.security.KeyRep;
import java.security.spec.InvalidKeySpecException;
+import java.util.Arrays;
import java.util.Locale;
import javax.crypto.SecretKey;
import javax.crypto.spec.PBEKeySpec;
@@ -54,7 +55,8 @@
*
* @param keytype the given PBE key specification
*/
- PBEKey(PBEKeySpec keySpec, String keytype) throws InvalidKeySpecException {
+ PBEKey(PBEKeySpec keySpec, String keytype, boolean useCleaner)
+ throws InvalidKeySpecException {
char[] passwd = keySpec.getPassword();
if (passwd == null) {
// Should allow an empty password.
@@ -71,13 +73,15 @@
this.key = new byte[passwd.length];
for (int i=0; i<passwd.length; i++)
this.key[i] = (byte) (passwd[i] & 0x7f);
- java.util.Arrays.fill(passwd, ' ');
+ Arrays.fill(passwd, ' ');
type = keytype;
// Use the cleaner to zero the key when no longer referenced
- final byte[] k = this.key;
- CleanerFactory.cleaner().register(this,
- () -> java.util.Arrays.fill(k, (byte)0x00));
+ if (useCleaner) {
+ final byte[] k = this.key;
+ CleanerFactory.cleaner().register(this,
+ () -> Arrays.fill(k, (byte) 0x00));
+ }
}
public byte[] getEncoded() {
@@ -122,11 +126,23 @@
byte[] thatEncoded = that.getEncoded();
boolean ret = MessageDigest.isEqual(this.key, thatEncoded);
- java.util.Arrays.fill(thatEncoded, (byte)0x00);
+ Arrays.fill(thatEncoded, (byte)0x00);
return ret;
}
/**
+ * Clears the internal copy of the key.
+ *
+ */
+ @Override
+ public void destroy() {
+ if (key != null) {
+ Arrays.fill(key, (byte) 0x00);
+ key = null;
+ }
+ }
+
+ /**
* readObject is called to restore the state of this key from
* a stream.
*/