JCE: zero encodedKey buffer in DH/EC/RSA Key Factories before returning

rlm2002 · rlm2002 · commit dae76c5f42e4 · 2026-04-24T15:33:58.000-06:00
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptDHKeyFactory.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptDHKeyFactory.java
@@ -440,7 +440,9 @@ private <T extends KeySpec> T getPrivateKeySpec(DHPrivateKey key,
                     throw new InvalidKeySpecException(
                         "DHPrivateKey.getEncoded() returned null");
                 }
-                return (T) new PKCS8EncodedKeySpec(encoded);
+                T pkcs8EncKS = (T) new PKCS8EncodedKeySpec(encoded);
+                Arrays.fill(encoded, (byte)0);
+                return pkcs8EncKS;
             }
             else if (keySpec.isAssignableFrom(DHPrivateKeySpec.class)) {
                 /* Extract private value and params directly from key */
@@ -542,6 +544,8 @@ private PrivateKey translatePrivateKey(DHPrivateKey key)
             }
 
             keySpec = new PKCS8EncodedKeySpec(encoded);
+            Arrays.fill(encoded, (byte)0);
+
             return engineGeneratePrivate(keySpec);
 
         } catch (InvalidKeySpecException e) {
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptECKeyFactory.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptECKeyFactory.java
@@ -653,7 +653,10 @@ private <T extends KeySpec> T getPrivateKeySpec(ECPrivateKey key,
                     throw new InvalidKeySpecException(
                         "ECPrivateKey.getEncoded() returned null");
                 }
-                return (T) new PKCS8EncodedKeySpec(encoded);
+                T pkcs8EncKS = (T) new PKCS8EncodedKeySpec(encoded);
+                Arrays.fill(encoded, (byte)0);
+
+                return pkcs8EncKS;
             }
             else if (keySpec.isAssignableFrom(ECPrivateKeySpec.class)) {
                 /* Extract private value and params directly from key */
@@ -748,6 +751,8 @@ private PrivateKey translatePrivateKey(ECPrivateKey key)
             }
 
             PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
+            Arrays.fill(encoded, (byte)0);
+
             return engineGeneratePrivate(keySpec);
 
         } catch (InvalidKeySpecException e) {
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptRSAKeyFactory.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptRSAKeyFactory.java
@@ -534,7 +534,10 @@ private <T extends KeySpec> T getPrivateCrtKeySpec(RSAPrivateCrtKey key,
                     throw new InvalidKeySpecException(
                         "RSAPrivateCrtKey.getEncoded() returned null");
                 }
-                return (T) new PKCS8EncodedKeySpec(encoded);
+                T pkcs8EncKS = (T) new PKCS8EncodedKeySpec(encoded);
+                Arrays.fill(encoded, (byte)0);
+
+                return pkcs8EncKS;
             }
             else if (keySpec.isAssignableFrom(RSAPrivateCrtKeySpec.class)) {
                 /* Extract CRT parameters directly from key */
@@ -600,7 +603,10 @@ private <T extends KeySpec> T getPrivateKeySpec(RSAPrivateKey key,
                     throw new InvalidKeySpecException(
                         "RSAPrivateKey.getEncoded() returned null");
                 }
-                return (T) new PKCS8EncodedKeySpec(encoded);
+                T pkcs8EncKS = (T) new PKCS8EncodedKeySpec(encoded);
+                Arrays.fill(encoded, (byte)0);
+
+                return pkcs8EncKS;
             }
             else if (keySpec.isAssignableFrom(RSAPrivateKeySpec.class)) {
                 /* Extract basic private key parameters */
@@ -705,6 +711,7 @@ private PrivateKey translatePrivateKey(RSAPrivateKey key)
             }
 
             keySpec = new PKCS8EncodedKeySpec(encoded);
+            Arrays.fill(encoded, (byte)0);
 
             return engineGeneratePrivate(keySpec);
 

Original file line number	Diff line number	Diff line change
`@@ -440,7 +440,9 @@ private <T extends KeySpec> T getPrivateKeySpec(DHPrivateKey key,`
`440`	`440`	`throw new InvalidKeySpecException(`
`441`	`441`	`"DHPrivateKey.getEncoded() returned null");`
`442`	`442`	`}`
`443`		`- return (T) new PKCS8EncodedKeySpec(encoded);`
	`443`	`+ T pkcs8EncKS = (T) new PKCS8EncodedKeySpec(encoded);`
	`444`	`+ Arrays.fill(encoded, (byte)0);`
	`445`	`+ return pkcs8EncKS;`
`444`	`446`	`}`
`445`	`447`	`else if (keySpec.isAssignableFrom(DHPrivateKeySpec.class)) {`
`446`	`448`	`/* Extract private value and params directly from key */`
`@@ -542,6 +544,8 @@ private PrivateKey translatePrivateKey(DHPrivateKey key)`
`542`	`544`	`}`
`543`	`545`
`544`	`546`	`keySpec = new PKCS8EncodedKeySpec(encoded);`
	`547`	`+ Arrays.fill(encoded, (byte)0);`
	`548`	`+`
`545`	`549`	`return engineGeneratePrivate(keySpec);`
`546`	`550`
`547`	`551`	`} catch (InvalidKeySpecException e) {`
Original file line number	Diff line number	Diff line change
`@@ -653,7 +653,10 @@ private <T extends KeySpec> T getPrivateKeySpec(ECPrivateKey key,`
`653`	`653`	`throw new InvalidKeySpecException(`
`654`	`654`	`"ECPrivateKey.getEncoded() returned null");`
`655`	`655`	`}`
`656`		`- return (T) new PKCS8EncodedKeySpec(encoded);`
	`656`	`+ T pkcs8EncKS = (T) new PKCS8EncodedKeySpec(encoded);`
	`657`	`+ Arrays.fill(encoded, (byte)0);`
	`658`	`+`
	`659`	`+ return pkcs8EncKS;`
`657`	`660`	`}`
`658`	`661`	`else if (keySpec.isAssignableFrom(ECPrivateKeySpec.class)) {`
`659`	`662`	`/* Extract private value and params directly from key */`
`@@ -748,6 +751,8 @@ private PrivateKey translatePrivateKey(ECPrivateKey key)`
`748`	`751`	`}`
`749`	`752`
`750`	`753`	`PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);`
	`754`	`+ Arrays.fill(encoded, (byte)0);`
	`755`	`+`
`751`	`756`	`return engineGeneratePrivate(keySpec);`
`752`	`757`
`753`	`758`	`} catch (InvalidKeySpecException e) {`
Original file line number	Diff line number	Diff line change
`@@ -534,7 +534,10 @@ private <T extends KeySpec> T getPrivateCrtKeySpec(RSAPrivateCrtKey key,`
`534`	`534`	`throw new InvalidKeySpecException(`
`535`	`535`	`"RSAPrivateCrtKey.getEncoded() returned null");`
`536`	`536`	`}`
`537`		`- return (T) new PKCS8EncodedKeySpec(encoded);`
	`537`	`+ T pkcs8EncKS = (T) new PKCS8EncodedKeySpec(encoded);`
	`538`	`+ Arrays.fill(encoded, (byte)0);`
	`539`	`+`
	`540`	`+ return pkcs8EncKS;`
`538`	`541`	`}`
`539`	`542`	`else if (keySpec.isAssignableFrom(RSAPrivateCrtKeySpec.class)) {`
`540`	`543`	`/* Extract CRT parameters directly from key */`
`@@ -600,7 +603,10 @@ private <T extends KeySpec> T getPrivateKeySpec(RSAPrivateKey key,`
`600`	`603`	`throw new InvalidKeySpecException(`
`601`	`604`	`"RSAPrivateKey.getEncoded() returned null");`
`602`	`605`	`}`
`603`		`- return (T) new PKCS8EncodedKeySpec(encoded);`
	`606`	`+ T pkcs8EncKS = (T) new PKCS8EncodedKeySpec(encoded);`
	`607`	`+ Arrays.fill(encoded, (byte)0);`
	`608`	`+`
	`609`	`+ return pkcs8EncKS;`
`604`	`610`	`}`
`605`	`611`	`else if (keySpec.isAssignableFrom(RSAPrivateKeySpec.class)) {`
`606`	`612`	`/* Extract basic private key parameters */`
`@@ -705,6 +711,7 @@ private PrivateKey translatePrivateKey(RSAPrivateKey key)`
`705`	`711`	`}`
`706`	`712`
`707`	`713`	`keySpec = new PKCS8EncodedKeySpec(encoded);`
	`714`	`+ Arrays.fill(encoded, (byte)0);`
`708`	`715`
`709`	`716`	`return engineGeneratePrivate(keySpec);`
`710`	`717`