Bug #3125

Task #2253: sqlcipher uses String objects insecurely

divine reflection voodoo requried to wipe Cipher class

Added by abeluck almost 4 years ago. Updated over 3 years ago.

Status:NewStart date:03/25/2014
Priority:NormalDue date:
Assignee:-% Done:


Target version:future


The JCE code for performing the AES GCM encryption needs to be wiped.

see: SerializedSecretsImpl.java

    public byte[] encryptSecretKey(SecretKey x_passphraseKey, byte[] iv, byte[] data)
            throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

        // TODO(abel) follow this rabbit hole down and wipe it!
        cipher.init(Cipher.ENCRYPT_MODE, x_passphraseKey, new IvParameterSpec(iv));

        return cipher.doFinal(data);


#1 Updated by abeluck almost 4 years ago

idea: ditch the JCE abstraction layer altogether and call the BC functions directly

#2 Updated by hans over 3 years ago

  • Target version changed from 0.2 to future

Also available in: Atom PDF