JCE: zero privKeyBytes buffer before leaking wolfCryptInitPrivateKey

rlm2002 · rlm2002 · commit a9268ded9cae · 2026-04-27T17:50:08.000-06:00
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptSignature.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptSignature.java
@@ -345,7 +345,11 @@ private void wolfCryptInitPrivateKey(PrivateKey key, byte[] encodedKey)
                     privKeyBytes = ecPriv.getS().toByteArray();
                 }
 
-                this.ecc.importPrivate(privKeyBytes, null);
+                try {
+                    this.ecc.importPrivate(privKeyBytes, null);
+                } finally {
+                    zeroArray(privKeyBytes);
+                }
 
                 break;
         }

Original file line number	Diff line number	Diff line change
`@@ -345,7 +345,11 @@ private void wolfCryptInitPrivateKey(PrivateKey key, byte[] encodedKey)`
`345`	`345`	`privKeyBytes = ecPriv.getS().toByteArray();`
`346`	`346`	`}`
`347`	`347`
`348`		`- this.ecc.importPrivate(privKeyBytes, null);`
	`348`	`+ try {`
	`349`	`+ this.ecc.importPrivate(privKeyBytes, null);`
	`350`	`+ } finally {`
	`351`	`+ zeroArray(privKeyBytes);`
	`352`	`+ }`
`349`	`353`
`350`	`354`	`break;`
`351`	`355`	`}`