Skip to content

Commit 570faa4

Browse files
rlm2002rlm2002
committed
JCE: zero WolfCryptSignature PKCS8 private key buffer after use
1 parent 2e51748 commit 570faa4

1 file changed

Lines changed: 57 additions & 52 deletions

File tree

src/main/java/com/wolfssl/provider/jce/WolfCryptSignature.java

Lines changed: 57 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -447,69 +447,74 @@ protected synchronized void engineInitSign(PrivateKey privateKey)
447447
if (encodedKey == null)
448448
throw new InvalidKeyException("Key does not support encoding");
449449

450-
/* initialize native struct */
451-
switch (keyType) {
452-
case WC_RSA:
453-
if (this.rsa != null) {
454-
this.rsa.releaseNativeStruct();
455-
}
456-
this.rsa = new Rsa();
457-
break;
458-
case WC_ECDSA:
459-
if (this.ecc != null) {
460-
this.ecc.releaseNativeStruct();
461-
}
462-
synchronized (this.rngLock) {
463-
this.ecc = new Ecc(this.rng);
464-
}
465-
break;
466-
}
450+
try {
451+
/* initialize native struct */
452+
switch (keyType) {
453+
case WC_RSA:
454+
if (this.rsa != null) {
455+
this.rsa.releaseNativeStruct();
456+
}
457+
this.rsa = new Rsa();
458+
break;
459+
case WC_ECDSA:
460+
if (this.ecc != null) {
461+
this.ecc.releaseNativeStruct();
462+
}
463+
synchronized (this.rngLock) {
464+
this.ecc = new Ecc(this.rng);
465+
}
466+
break;
467+
}
467468

468-
wolfCryptInitPrivateKey(privateKey, encodedKey);
469+
wolfCryptInitPrivateKey(privateKey, encodedKey);
469470

470-
/* init hash object if digest type is set */
471-
if (this.digestType == null) {
472-
/* For RSASSA-PSS, hash init will happen in engineSetParameter() */
473-
log("init sign with PrivateKey (hash init deferred for PSS)");
474-
return;
475-
}
471+
/* init hash object if digest type is set */
472+
if (this.digestType == null) {
473+
/* For RSASSA-PSS, hash init will happen in
474+
* engineSetParameter() */
475+
log("init sign with PrivateKey (hash init deferred for PSS)");
476+
return;
477+
}
476478

477-
synchronized (hashLock) {
478-
switch (this.digestType) {
479-
case WC_MD5:
480-
this.md5.init();
481-
break;
479+
synchronized (hashLock) {
480+
switch (this.digestType) {
481+
case WC_MD5:
482+
this.md5.init();
483+
break;
482484

483-
case WC_SHA1:
484-
this.sha.init();
485-
break;
485+
case WC_SHA1:
486+
this.sha.init();
487+
break;
486488

487-
case WC_SHA224:
488-
this.sha224.init();
489-
break;
489+
case WC_SHA224:
490+
this.sha224.init();
491+
break;
490492

491-
case WC_SHA256:
492-
this.sha256.init();
493-
break;
493+
case WC_SHA256:
494+
this.sha256.init();
495+
break;
494496

495-
case WC_SHA384:
496-
this.sha384.init();
497-
break;
497+
case WC_SHA384:
498+
this.sha384.init();
499+
break;
498500

499-
case WC_SHA512:
500-
this.sha512.init();
501-
break;
501+
case WC_SHA512:
502+
this.sha512.init();
503+
break;
502504

503-
case WC_SHA3_224:
504-
case WC_SHA3_256:
505-
case WC_SHA3_384:
506-
case WC_SHA3_512:
507-
this.sha3.init();
508-
break;
505+
case WC_SHA3_224:
506+
case WC_SHA3_256:
507+
case WC_SHA3_384:
508+
case WC_SHA3_512:
509+
this.sha3.init();
510+
break;
511+
}
509512
}
510-
}
511513

512-
log("init sign with PrivateKey");
514+
log("init sign with PrivateKey");
515+
} finally {
516+
zeroArray(encodedKey);
517+
}
513518
}
514519

515520
@Override

0 commit comments

Comments
 (0)