Merge pull request #166 from dbohannon/dbohannon-clear-spec

firaja · web-flow · commit 18aaa552d764 · 2025-08-05T21:10:34.000+02:00
Prevent password leak in memory
diff --git a/src/main/java/com/password4j/PBKDF2Function.java b/src/main/java/com/password4j/PBKDF2Function.java
@@ -128,7 +128,14 @@ protected static SecretKey internalHash(char[] plain, byte[] salt, String algori
     {
         SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(ALGORITHM_PREFIX + algorithm);
         PBEKeySpec spec = new PBEKeySpec(plain, salt, iterations, length);
-        return secretKeyFactory.generateSecret(spec);
+        try
+        {   
+            return secretKeyFactory.generateSecret(spec);
+        }
+        finally
+        {   
+            spec.clearPassword();
+        }
     }
 
     protected static String getUID(String algorithm, int iterations, int length)
