Mercurial > hg > release > icedtea7-forest-2.6 > jdk

changeset 9966:e5ffc34ee665

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8241379: Update JCEKS support Reviewed-by: ahgross, mullan, rhalade, mbalao, andrew
author weijun
date Fri, 03 Apr 2020 17:24:59 +0800
parents f175970357d1
children 3f1113e3ba8f
files src/share/classes/com/sun/crypto/provider/JceKeyStore.java
diffstat 1 files changed, 22 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/crypto/provider/JceKeyStore.java	Mon Mar 23 19:57:51 2020 -0700
+++ b/src/share/classes/com/sun/crypto/provider/JceKeyStore.java	Fri Apr 03 17:24:59 2020 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -912,8 +912,6 @@
      */
     private static class DeserializationChecker implements ObjectInputFilter {
 
-        private static final int MAX_NESTED_DEPTH = 2;
-
         // Full length of keystore, anything inside a SecretKeyEntry should not
         // be bigger. Otherwise, must be illegal.
         private final int fullLength;
@@ -926,15 +924,28 @@
         public ObjectInputFilter.Status
             checkInput(ObjectInputFilter.FilterInfo info) {
 
+            if (info.arrayLength() > fullLength) {
+                return Status.REJECTED;
+            }
             // First run a custom filter
-            long nestedDepth = info.depth();
-            if ((nestedDepth == 1 &&
-                        info.serialClass() != SealedObjectForKeyProtector.class) ||
-                    info.arrayLength() > fullLength ||
-                    (nestedDepth > MAX_NESTED_DEPTH &&
-                        info.serialClass() != null &&
-                        info.serialClass() != Object.class)) {
-                return Status.REJECTED;
+            Class<?> clazz = info.serialClass();
+            switch((int)info.depth()) {
+                case 1:
+                    if (clazz != SealedObjectForKeyProtector.class) {
+                        return Status.REJECTED;
+                    }
+                    break;
+                case 2:
+                    if (clazz != null && clazz != SealedObject.class
+                            && clazz != byte[].class) {
+                        return Status.REJECTED;
+                    }
+                    break;
+                default:
+                    if (clazz != null && clazz != Object.class) {
+                        return Status.REJECTED;
+                    }
+                    break;
             }
 
             // Next run the default filter, if available