Mercurial > hg > release > icedtea7-forest-2.6 > jdk
changeset 9966:e5ffc34ee665
8241379: Update JCEKS support
Reviewed-by: ahgross, mullan, rhalade, mbalao, andrew
author | weijun |
---|---|
date | Fri, 03 Apr 2020 17:24:59 +0800 |
parents | f175970357d1 |
children | 3f1113e3ba8f |
files | src/share/classes/com/sun/crypto/provider/JceKeyStore.java |
diffstat | 1 files changed, 22 insertions(+), 11 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/com/sun/crypto/provider/JceKeyStore.java Mon Mar 23 19:57:51 2020 -0700 +++ b/src/share/classes/com/sun/crypto/provider/JceKeyStore.java Fri Apr 03 17:24:59 2020 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -912,8 +912,6 @@ */ private static class DeserializationChecker implements ObjectInputFilter { - private static final int MAX_NESTED_DEPTH = 2; - // Full length of keystore, anything inside a SecretKeyEntry should not // be bigger. Otherwise, must be illegal. private final int fullLength; @@ -926,15 +924,28 @@ public ObjectInputFilter.Status checkInput(ObjectInputFilter.FilterInfo info) { + if (info.arrayLength() > fullLength) { + return Status.REJECTED; + } // First run a custom filter - long nestedDepth = info.depth(); - if ((nestedDepth == 1 && - info.serialClass() != SealedObjectForKeyProtector.class) || - info.arrayLength() > fullLength || - (nestedDepth > MAX_NESTED_DEPTH && - info.serialClass() != null && - info.serialClass() != Object.class)) { - return Status.REJECTED; + Class<?> clazz = info.serialClass(); + switch((int)info.depth()) { + case 1: + if (clazz != SealedObjectForKeyProtector.class) { + return Status.REJECTED; + } + break; + case 2: + if (clazz != null && clazz != SealedObject.class + && clazz != byte[].class) { + return Status.REJECTED; + } + break; + default: + if (clazz != null && clazz != Object.class) { + return Status.REJECTED; + } + break; } // Next run the default filter, if available