Skip to content

Commit 596fa9f

Browse files
rlm2002rlm2002
committed
JCE: zero WolfCryptCipher encodedKey buffers after use
1 parent e10a7d8 commit 596fa9f

1 file changed

Lines changed: 89 additions & 75 deletions

File tree

src/main/java/com/wolfssl/provider/jce/WolfCryptCipher.java

Lines changed: 89 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -948,86 +948,94 @@ private void wolfCryptSetKey(Key key)
948948
throw new InvalidKeyException("Key does not support encoding");
949949
}
950950

951-
switch (cipherType) {
952-
case WC_AES:
953-
if (this.direction == OpMode.WC_ENCRYPT) {
954-
if (cipherMode == CipherMode.WC_GCM) {
955-
this.aesGcm.setKey(encodedKey);
956-
}
957-
else if (cipherMode == CipherMode.WC_CCM) {
958-
this.aesCcm.setKey(encodedKey);
959-
}
960-
else if (cipherMode == CipherMode.WC_CTS) {
961-
this.aesCts.setKey(encodedKey, iv, AesCts.ENCRYPT_MODE);
962-
}
963-
else if (cipherMode == CipherMode.WC_ECB) {
964-
this.aesEcb.setKey(
965-
encodedKey, null, AesEcb.ENCRYPT_MODE);
966-
}
967-
else if (cipherMode == CipherMode.WC_CTR) {
968-
this.aesCtr.setKey(encodedKey, iv);
969-
}
970-
else if (cipherMode == CipherMode.WC_OFB) {
971-
this.aesOfb.setKey(encodedKey, iv, AesOfb.ENCRYPT_MODE);
972-
}
973-
else {
974-
this.aes.setKey(encodedKey, iv, Aes.ENCRYPT_MODE);
975-
}
976-
} else {
977-
if (cipherMode == CipherMode.WC_GCM) {
978-
this.aesGcm.setKey(encodedKey);
979-
}
980-
else if (cipherMode == CipherMode.WC_CCM) {
981-
this.aesCcm.setKey(encodedKey);
982-
}
983-
else if (cipherMode == CipherMode.WC_CTS) {
984-
this.aesCts.setKey(encodedKey, iv, AesCts.DECRYPT_MODE);
985-
}
986-
else if (cipherMode == CipherMode.WC_ECB) {
987-
this.aesEcb.setKey(
988-
encodedKey, null, AesEcb.DECRYPT_MODE);
989-
}
990-
else if (cipherMode == CipherMode.WC_CTR) {
991-
this.aesCtr.setKey(encodedKey, iv);
992-
}
993-
else if (cipherMode == CipherMode.WC_OFB) {
994-
this.aesOfb.setKey(encodedKey, iv, AesOfb.ENCRYPT_MODE);
995-
}
996-
else {
997-
this.aes.setKey(encodedKey, iv, Aes.DECRYPT_MODE);
951+
try {
952+
switch (cipherType) {
953+
case WC_AES:
954+
if (this.direction == OpMode.WC_ENCRYPT) {
955+
if (cipherMode == CipherMode.WC_GCM) {
956+
this.aesGcm.setKey(encodedKey);
957+
}
958+
else if (cipherMode == CipherMode.WC_CCM) {
959+
this.aesCcm.setKey(encodedKey);
960+
}
961+
else if (cipherMode == CipherMode.WC_CTS) {
962+
this.aesCts.setKey(
963+
encodedKey, iv, AesCts.ENCRYPT_MODE);
964+
}
965+
else if (cipherMode == CipherMode.WC_ECB) {
966+
this.aesEcb.setKey(
967+
encodedKey, null, AesEcb.ENCRYPT_MODE);
968+
}
969+
else if (cipherMode == CipherMode.WC_CTR) {
970+
this.aesCtr.setKey(encodedKey, iv);
971+
}
972+
else if (cipherMode == CipherMode.WC_OFB) {
973+
this.aesOfb.setKey(
974+
encodedKey, iv, AesOfb.ENCRYPT_MODE);
975+
}
976+
else {
977+
this.aes.setKey(encodedKey, iv, Aes.ENCRYPT_MODE);
978+
}
979+
} else {
980+
if (cipherMode == CipherMode.WC_GCM) {
981+
this.aesGcm.setKey(encodedKey);
982+
}
983+
else if (cipherMode == CipherMode.WC_CCM) {
984+
this.aesCcm.setKey(encodedKey);
985+
}
986+
else if (cipherMode == CipherMode.WC_CTS) {
987+
this.aesCts.setKey(
988+
encodedKey, iv, AesCts.DECRYPT_MODE);
989+
}
990+
else if (cipherMode == CipherMode.WC_ECB) {
991+
this.aesEcb.setKey(
992+
encodedKey, null, AesEcb.DECRYPT_MODE);
993+
}
994+
else if (cipherMode == CipherMode.WC_CTR) {
995+
this.aesCtr.setKey(encodedKey, iv);
996+
}
997+
else if (cipherMode == CipherMode.WC_OFB) {
998+
this.aesOfb.setKey(
999+
encodedKey, iv, AesOfb.ENCRYPT_MODE);
1000+
}
1001+
else {
1002+
this.aes.setKey(encodedKey, iv, Aes.DECRYPT_MODE);
1003+
}
9981004
}
999-
}
1000-
break;
1005+
break;
10011006

1002-
case WC_DES3:
1003-
if (this.direction == OpMode.WC_ENCRYPT) {
1004-
this.des3.setKey(encodedKey, iv, Des3.ENCRYPT_MODE);
1005-
} else {
1006-
this.des3.setKey(encodedKey, iv, Des3.DECRYPT_MODE);
1007-
}
1008-
break;
1007+
case WC_DES3:
1008+
if (this.direction == OpMode.WC_ENCRYPT) {
1009+
this.des3.setKey(encodedKey, iv, Des3.ENCRYPT_MODE);
1010+
} else {
1011+
this.des3.setKey(encodedKey, iv, Des3.DECRYPT_MODE);
1012+
}
1013+
break;
10091014

1010-
case WC_RSA:
1015+
case WC_RSA:
10111016

1012-
/* reset key struct if needed */
1013-
if (this.rsa != null)
1014-
this.rsa.releaseNativeStruct();
1017+
/* reset key struct if needed */
1018+
if (this.rsa != null)
1019+
this.rsa.releaseNativeStruct();
10151020

1016-
if (this.rng == null) {
1017-
this.rng = new Rng();
1018-
this.rng.init();
1019-
}
1020-
this.rsa = new Rsa();
1021-
this.rsa.setRng(this.rng);
1021+
if (this.rng == null) {
1022+
this.rng = new Rng();
1023+
this.rng.init();
1024+
}
1025+
this.rsa = new Rsa();
1026+
this.rsa.setRng(this.rng);
10221027

1023-
if (this.rsaKeyType == RsaKeyType.WC_RSA_PRIVATE) {
1028+
if (this.rsaKeyType == RsaKeyType.WC_RSA_PRIVATE) {
10241029

1025-
this.rsa.decodePrivateKeyPKCS8(encodedKey);
1030+
this.rsa.decodePrivateKeyPKCS8(encodedKey);
10261031

1027-
} else {
1028-
this.rsa.decodePublicKey(encodedKey);
1029-
}
1030-
break;
1032+
} else {
1033+
this.rsa.decodePublicKey(encodedKey);
1034+
}
1035+
break;
1036+
}
1037+
} finally {
1038+
zeroArray(encodedKey);
10311039
}
10321040
}
10331041

@@ -1756,6 +1764,7 @@ protected int engineGetKeySize(Key key)
17561764
throws InvalidKeyException {
17571765

17581766
byte encodedKey[] = null;
1767+
int kLen = 0;
17591768

17601769
/* validate key class type */
17611770
if (this.cipherType == CipherType.WC_RSA) {
@@ -1781,7 +1790,9 @@ protected int engineGetKeySize(Key key)
17811790
if (encodedKey == null)
17821791
throw new InvalidKeyException("Key does not support encoding");
17831792

1784-
return encodedKey.length;
1793+
kLen = encodedKey.length;
1794+
zeroArray(encodedKey);
1795+
return kLen;
17851796
}
17861797

17871798
@Override
@@ -1857,6 +1868,7 @@ protected byte[] engineWrap(Key key)
18571868
throws IllegalBlockSizeException, InvalidKeyException {
18581869

18591870
byte[] encodedKey = null;
1871+
byte[] wcBuf;
18601872

18611873
if (key == null) {
18621874
throw new InvalidKeyException(
@@ -1870,12 +1882,14 @@ protected byte[] engineWrap(Key key)
18701882
}
18711883

18721884
try {
1873-
return wolfCryptFinal(encodedKey, 0, encodedKey.length);
1874-
1885+
wcBuf = wolfCryptFinal(encodedKey, 0, encodedKey.length);
18751886
} catch (BadPaddingException e) {
18761887
throw new InvalidKeyException("Failed to wrap key: " +
18771888
e.getMessage(), e);
1889+
} finally {
1890+
zeroArray(encodedKey);
18781891
}
1892+
return wcBuf;
18791893
}
18801894

18811895
@Override

0 commit comments

Comments
 (0)