# HG changeset patch
# User weijun
# Date 1585905899 -28800
# Node ID e5ffc34ee6654ac0cbd50e28b783156168cad913
# Parent  f175970357d18462e6756505618f2614fc3de6c5
8241379: Update JCEKS support
Reviewed-by: ahgross, mullan, rhalade, mbalao, andrew

diff -r f175970357d1 -r e5ffc34ee665 src/share/classes/com/sun/crypto/provider/JceKeyStore.java
--- a/src/share/classes/com/sun/crypto/provider/JceKeyStore.java	Mon Mar 23 19:57:51 2020 -0700
+++ b/src/share/classes/com/sun/crypto/provider/JceKeyStore.java	Fri Apr 03 17:24:59 2020 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -912,8 +912,6 @@
      */
     private static class DeserializationChecker implements ObjectInputFilter {
 
-        private static final int MAX_NESTED_DEPTH = 2;
-
         // Full length of keystore, anything inside a SecretKeyEntry should not
         // be bigger. Otherwise, must be illegal.
         private final int fullLength;
@@ -926,15 +924,28 @@
         public ObjectInputFilter.Status
             checkInput(ObjectInputFilter.FilterInfo info) {
 
+            if (info.arrayLength() > fullLength) {
+                return Status.REJECTED;
+            }
             // First run a custom filter
-            long nestedDepth = info.depth();
-            if ((nestedDepth == 1 &&
-                        info.serialClass() != SealedObjectForKeyProtector.class) ||
-                    info.arrayLength() > fullLength ||
-                    (nestedDepth > MAX_NESTED_DEPTH &&
-                        info.serialClass() != null &&
-                        info.serialClass() != Object.class)) {
-                return Status.REJECTED;
+            Class<?> clazz = info.serialClass();
+            switch((int)info.depth()) {
+                case 1:
+                    if (clazz != SealedObjectForKeyProtector.class) {
+                        return Status.REJECTED;
+                    }
+                    break;
+                case 2:
+                    if (clazz != null && clazz != SealedObject.class
+                            && clazz != byte[].class) {
+                        return Status.REJECTED;
+                    }
+                    break;
+                default:
+                    if (clazz != null && clazz != Object.class) {
+                        return Status.REJECTED;
+                    }
+                    break;
             }
 
             // Next run the default filter, if available