All geek questions in one place

Java sensitive data: char [] vs String? What's the point?

We already know about this assumption / practice using char[] instead of String for sensitive data. There are several reasons for this. One of them is to clear confidential data immediately after it is no longer needed:

 char[] passwd = passwordProvider.getKeyStorePassword(); KeyStore keystore = KeyStore.getInstance("JKS"); // TODO: Create the input stream; keystore.load(inputstream, passwd); System.arraycopy(new char[passwd.length], 0, passwd, 0, passwd.length); // Please continue...

Now the question is: does it make sense (i.e. use char[] ) the sense (in particular, mentioned above) when sensitive data comes to you initially as a String value? eg:

 char[] passwd = passwordProvider.getKeyStorePassword().toCharArray(); KeyStore keystore = KeyStore.getInstance("JKS"); // TODO: using the passwd, load the keystore; System.arraycopy(new char[passwd.length], 0, passwd, 0, passwd.length); // Please continue...

Thanks in advance.

UPDATE2: I will rephrase the question: in this specific context (forget about future changes or something else), does the line "clear the contents of the char array" do any good?

UPDATE1: this is not duplication. Why is char [] preferred over String for passwords? I know what this story is. I ask in this particular context, it still makes sense?

+6
source share
1 answer

It seems to me that the security problem in the design of the password provider API returns String .

But if you need to work with this API, converting to char[] immediately means that you are not stopping the String instance from being GC'd, because you are not keeping a reference to it for any longer than is absolutely necessary.

So, it makes sense to use char[] here because you are "not doing it worse."

+4
source

Source: https://habr.com/ru/post/1014671/

More articles:


All Articles