added missing zeroed out logic

sagnghos · sagnghos · commit d0d0b6967000 · 2026-06-15T12:09:40.000Z
diff --git a/java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/LoginClient.java b/java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/LoginClient.java
@@ -129,7 +129,7 @@ public AccessToken login(String username, SecretBytes password) throws SpannerEx
             initialResponse.getOpaqueResponse().getInitialResponse();
 
         ByteString envelope = initialOpaqueResponse.getMaskedResponse();
-        if (envelope.size() < 65) {
+        if (envelope.size() != 65) {
           throw new GeneralSecurityException("Invalid envelope size: " + envelope.size());
         }
 
@@ -233,7 +233,7 @@ private byte[] generateClientMac(
           OpaqueUtil.xorBytes(
               initialOpaqueResponse.getMaskedResponse().toByteArray(), credentialResponsePad);
       ByteString envelope = ByteString.copyFrom(serializedEnvelope);
-      if (envelope.size() < 65) {
+      if (envelope.size() != 65) {
         throw new GeneralSecurityException("Invalid envelope size: " + envelope.size());
       }
       ByteString serverPublicKey = envelope.substring(0, 33);
diff --git a/java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/SpannerOmniCredentials.java b/java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/SpannerOmniCredentials.java
@@ -50,20 +50,22 @@ public class SpannerOmniCredentials extends GoogleCredentials {
 
   public static SecretBytes convertToSecretBytes(char[] passwordChars) {
     byte[] passwordBytes = null;
+    ByteBuffer byteBuffer = null;
     try {
       CharsetEncoder encoder = StandardCharsets.UTF_8.newEncoder();
       CharBuffer charBuffer = CharBuffer.wrap(passwordChars);
-      ByteBuffer byteBuffer =
-          ByteBuffer.allocate((int) (encoder.maxBytesPerChar() * charBuffer.remaining()));
+      byteBuffer = ByteBuffer.allocate((int) (encoder.maxBytesPerChar() * charBuffer.remaining()));
       encoder.encode(charBuffer, byteBuffer, true);
       encoder.flush(byteBuffer);
       byteBuffer.flip();
       passwordBytes = new byte[byteBuffer.remaining()];
       byteBuffer.get(passwordBytes);
-      Arrays.fill(byteBuffer.array(), (byte) 0);
       return SecretBytes.copyFrom(
           passwordBytes, com.google.crypto.tink.InsecureSecretKeyAccess.get());
     } finally {
+      if (byteBuffer != null) {
+        Arrays.fill(byteBuffer.array(), (byte) 0);
+      }
       if (passwordBytes != null) {
         Arrays.fill(passwordBytes, (byte) 0);
       }
diff --git a/java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/testing/SpannerOmniHelper.java b/java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/testing/SpannerOmniHelper.java
@@ -73,7 +73,7 @@ public static void setSpannerOmniOptions(SpannerOptions.Builder builder) {
     builder.setType(SpannerOptions.InstanceType.OMNI);
     String username = System.getProperty(USERNAME, "");
     String password = System.getProperty(PASSWORD, "");
-    if (!Strings.isNullOrEmpty(username)) {
+    if (!Strings.isNullOrEmpty(username) && !Strings.isNullOrEmpty(password)) {
       builder.login(username, password.toCharArray());
     }
     if (usePlainText) {

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ public static void setSpannerOmniOptions(SpannerOptions.Builder builder) {`
`73`	`73`	`builder.setType(SpannerOptions.InstanceType.OMNI);`
`74`	`74`	`String username = System.getProperty(USERNAME, "");`
`75`	`75`	`String password = System.getProperty(PASSWORD, "");`
`76`		`- if (!Strings.isNullOrEmpty(username)) {`
	`76`	`+ if (!Strings.isNullOrEmpty(username) && !Strings.isNullOrEmpty(password)) {`
`77`	`77`	`builder.login(username, password.toCharArray());`
`78`	`78`	`}`
`79`	`79`	`if (usePlainText) {`