On Fri, 19 May 2023 02:19:00 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> Good > > I've just noticed that in this case in particular we can clean it up here but > we need to save a copy in P11PBEKey because if the key has to be transferred > to a different P11 token, we need to re-derive from the password, salt and > iteration count. This case would happen for example if you have a P11 key > from one token and you want to use it in a P11 service from a different > token. Code is in P11SecretKeyFactory::convertKey. For safety, I'll clone the > password in the P11PBEKey constructor. Update: we finally decided to do what I described in my previous comment but in those PBE MAC and Cipher cases in which we know that the key was derived for the same token than the service AND the key cannot be accessed from outside —in other words, there are strong guarantees that the key won't need to be derived again—, we will clear the password. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1199514984
