JCE: zero WolfCryptMac.engineInit encodedKey buffer after use

rlm2002 · rlm2002 · commit 2e517487f7ed · 2026-04-24T15:33:58.000-06:00
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptMac.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptMac.java
@@ -24,6 +24,7 @@
 import javax.crypto.MacSpi;
 import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.Arrays;
 import java.security.InvalidKeyException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
@@ -232,6 +233,8 @@ protected void engineInit(Key key, AlgorithmParameterSpec params)
             }
         } catch (com.wolfssl.wolfcrypt.WolfCryptException e) {
             throw new InvalidKeyException("Invalid key: " + e.getMessage());
+        } finally {
+            Arrays.fill(encodedKey, (byte)0);
         }
 
         log("init with key and spec");
