8302111: Serialization considerations

Reviewed-by: skoivu, rhalade, weijun, wetmore
2025-08-26 14:24:46 +02:00 · 2024-02-05 22:53:51 +00:00 · 2024-02-05 22:53:51 +00:00 · 369c573383
commit 369c573383
parent df7d6e081f
21 changed files with 747 additions and 468 deletions
--- a/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java
+++ b/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -100,11 +100,9 @@ public class SecretKeySpec implements KeySpec, SecretKey {
     * is null or <code>key</code> is null or empty.
     */
    public SecretKeySpec(byte[] key, String algorithm) {
-        if (key == null || algorithm == null) {
-            throw new IllegalArgumentException("Missing argument");
-        }
-        if (key.length == 0) {
-            throw new IllegalArgumentException("Empty key");
+        String errMsg = doSanityCheck(key, algorithm);
+        if (errMsg != null) {
+            throw new IllegalArgumentException(errMsg);
        }
        this.key = key.clone();
        this.algorithm = algorithm;
@ -266,14 +264,22 @@ public class SecretKeySpec implements KeySpec, SecretKey {
    private void readObject(ObjectInputStream stream)
            throws IOException, ClassNotFoundException {
        stream.defaultReadObject();
+        String errMsg = doSanityCheck(key, algorithm);
+        if (errMsg != null) {
+            throw new InvalidObjectException(errMsg);
+        }
+        byte[] temp = key;
+        this.key = temp.clone();
+        Arrays.fill(temp, (byte) 0);
+    }

+    private static String doSanityCheck(byte[] key, String algorithm) {
+        String errMsg = null;
        if (key == null || algorithm == null) {
-            throw new InvalidObjectException("Missing argument");
-        }
-
-        this.key = key.clone();
-        if (key.length == 0) {
-            throw new InvalidObjectException("Invalid key length");
+            errMsg = "Missing argument";
+        } else if (key.length == 0) {
+            errMsg = "Empty key";
        }
+        return errMsg;
    }
 }