A DESCRIPTION OF THE PROBLEM :
JDK-8208583 implemented the destruction of com.sun.crypto.provider.PBEKey, however this implementation is incomplete.

Destroyable.destroy() says that IllegalStateExceptions should be thrown if a method would access the destroyed data. But currently NullPointerExceptions are thrown because the destroyed state is not checked.

This also affects Java 8.

Have for example a look at javax.security.auth.kerberos.KerberosTicket to see how destroyed objects can be handled.


---------- BEGIN SOURCE ----------
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;

public class PBEKeyDestructionTest {
    public static void main(String[] args) throws Exception {
        final SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE");
        final SecretKey pbeKey = factory.generateSecret(new PBEKeySpec("test".toCharArray()));
        pbeKey.destroy();
        // Expecting IllegalStateException as described by Destroyable.destroy()
        pbeKey.getEncoded();
        // Also affects other methods, e.g. hashCode()
    }
}
---------- END SOURCE ----------

FREQUENCY : always