Skip to content

Commit a1f8179

Browse files
dghgitdghgit
committed
added explicit zero out for temporary PBE keys - relates to github #2143 
1 parent e67cccf commit a1f8179

File tree

1 file changed

+20
-6
lines changed

1 file changed

+20
-6
lines changed

prov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -76,8 +76,8 @@
7676
import org.bouncycastle.asn1.pkcs.KeyDerivationFunc;
7777
import org.bouncycastle.asn1.pkcs.MacData;
7878
import org.bouncycastle.asn1.pkcs.PBES2Parameters;
79-
import org.bouncycastle.asn1.pkcs.PBMAC1Params;
8079
import org.bouncycastle.asn1.pkcs.PBKDF2Params;
80+
import org.bouncycastle.asn1.pkcs.PBMAC1Params;
8181
import org.bouncycastle.asn1.pkcs.PKCS12PBEParams;
8282
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
8383
import org.bouncycastle.asn1.pkcs.Pfx;
@@ -757,12 +757,13 @@ protected byte[] cryptData(
757757
if (algorithm.on(PKCSObjectIdentifiers.pkcs_12PbeIds))
758758
{
759759
PKCS12PBEParams pbeParams = PKCS12PBEParams.getInstance(algId.getParameters());
760+
PKCS12Key key = new PKCS12Key(password, wrongPKCS12Zero);
761+
760762
try
761763
{
762764
PBEParameterSpec defParams = new PBEParameterSpec(
763765
pbeParams.getIV(),
764766
BigIntegers.intValueExact(pbeParams.getIterations()));
765-
PKCS12Key key = new PKCS12Key(password, wrongPKCS12Zero);
766767

767768
Cipher cipher = helper.createCipher(algorithm.getId());
768769

@@ -773,6 +774,10 @@ protected byte[] cryptData(
773774
{
774775
throw new IOException("exception decrypting data - " + e.toString());
775776
}
777+
finally
778+
{
779+
Arrays.clear(key.getPassword());
780+
}
776781
}
777782
else if (algorithm.equals(PKCSObjectIdentifiers.id_PBES2))
778783
{
@@ -2082,12 +2087,21 @@ private byte[] calculatePbeMac(
20822087
}
20832088

20842089
PBEParameterSpec defParams = new PBEParameterSpec(salt, itCount);
2090+
PKCS12Key key = new PKCS12Key(password, wrongPkcs12Zero);
20852091

2086-
Mac mac = helper.createMac(oid.getId());
2087-
mac.init(new PKCS12Key(password, wrongPkcs12Zero), defParams);
2088-
mac.update(data);
2092+
try
2093+
{
2094+
Mac mac = helper.createMac(oid.getId());
2095+
2096+
mac.init(key, defParams);
2097+
mac.update(data);
20892098

2090-
return mac.doFinal();
2099+
return mac.doFinal();
2100+
}
2101+
finally
2102+
{
2103+
Arrays.clear(key.getPassword());
2104+
}
20912105
}
20922106

20932107
private static Digest getPrf(ASN1ObjectIdentifier prfId)

0 commit comments

Comments
 (0)