archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 22:34:27 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8241379: Update JCEKS support

Browse source 
Reviewed-by: ahgross, mullan, rhalade
This commit is contained in:
Weijun Wang 2020-04-03 17:24:59 +08:00
parent e3673d4677
commit fe514a2e55
1 changed files with 22 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

33
src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1998, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -939,8 +939,6 @@ public final class JceKeyStore extends KeyStoreSpi {
*/ */
private static class DeserializationChecker implements ObjectInputFilter { private static class DeserializationChecker implements ObjectInputFilter {
private static final int MAX_NESTED_DEPTH = 2;
// Full length of keystore, anything inside a SecretKeyEntry should not // Full length of keystore, anything inside a SecretKeyEntry should not
// be bigger. Otherwise, must be illegal. // be bigger. Otherwise, must be illegal.
private final int fullLength; private final int fullLength;
@ -953,16 +951,29 @@ public final class JceKeyStore extends KeyStoreSpi {
public ObjectInputFilter.Status public ObjectInputFilter.Status
checkInput(ObjectInputFilter.FilterInfo info) { checkInput(ObjectInputFilter.FilterInfo info) {
// First run a custom filter if (info.arrayLength() > fullLength) {
long nestedDepth = info.depth();
if ((nestedDepth == 1 &&
info.serialClass() != SealedObjectForKeyProtector.class) ||
info.arrayLength() > fullLength ||
(nestedDepth > MAX_NESTED_DEPTH &&
info.serialClass() != null &&
info.serialClass() != Object.class)) {
return Status.REJECTED; return Status.REJECTED;
} }
// First run a custom filter
Class<?> clazz = info.serialClass();
switch((int)info.depth()) {
case 1:
if (clazz != SealedObjectForKeyProtector.class) {
return Status.REJECTED;
}
break;
case 2:
if (clazz != null && clazz != SealedObject.class
&& clazz != byte[].class) {
return Status.REJECTED;
}
break;
default:
if (clazz != null && clazz != Object.class) {
return Status.REJECTED;
}
break;
}
// Next run the default filter, if available // Next run the default filter, if available
ObjectInputFilter defaultFilter = ObjectInputFilter defaultFilter =