Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
06e93a54
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
06e93a54
编写于
7月 02, 2017
作者:
I
igerasim
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8181370: Better keystore handling
Reviewed-by: weijun, igerasim
上级
1a2ab3bf
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
45 addition
and
1 deletion
+45
-1
src/share/classes/com/sun/crypto/provider/JceKeyStore.java
src/share/classes/com/sun/crypto/provider/JceKeyStore.java
+45
-1
未找到文件。
src/share/classes/com/sun/crypto/provider/JceKeyStore.java
浏览文件 @
06e93a54
/*
* Copyright (c) 1998, 201
6
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -27,12 +27,14 @@ package com.sun.crypto.provider;
import
java.io.*
;
import
java.util.*
;
import
java.security.AccessController
;
import
java.security.DigestInputStream
;
import
java.security.DigestOutputStream
;
import
java.security.MessageDigest
;
import
java.security.NoSuchAlgorithmException
;
import
java.security.Key
;
import
java.security.PrivateKey
;
import
java.security.PrivilegedAction
;
import
java.security.KeyStoreSpi
;
import
java.security.KeyStoreException
;
import
java.security.UnrecoverableKeyException
;
...
...
@@ -41,6 +43,8 @@ import java.security.cert.CertificateFactory;
import
java.security.cert.CertificateException
;
import
javax.crypto.SealedObject
;
import
sun.misc.ObjectInputFilter
;
/**
* This class provides the keystore implementation referred to as "jceks".
* This implementation strongly protects the keystore private keys using
...
...
@@ -835,11 +839,21 @@ public final class JceKeyStore extends KeyStoreSpi {
// read the sealed key
try
{
ois
=
new
ObjectInputStream
(
dis
);
final
ObjectInputStream
ois2
=
ois
;
// Set a deserialization checker
AccessController
.
doPrivileged
(
(
PrivilegedAction
<
Void
>)()
->
{
ObjectInputFilter
.
Config
.
setObjectInputFilter
(
ois2
,
new
DeserializationChecker
());
return
null
;
});
entry
.
sealedKey
=
(
SealedObject
)
ois
.
readObject
();
// NOTE: don't close ois here since we are still
// using dis!!!
}
catch
(
ClassNotFoundException
cnfe
)
{
throw
new
IOException
(
cnfe
.
getMessage
());
}
catch
(
InvalidClassException
ice
)
{
throw
new
IOException
(
"Invalid secret key format"
);
}
// Add the entry to the list
...
...
@@ -900,4 +914,34 @@ public final class JceKeyStore extends KeyStoreSpi {
md
.
update
(
"Mighty Aphrodite"
.
getBytes
(
"UTF8"
));
return
md
;
}
/*
* An ObjectInputFilter that checks the format of the secret key being
* deserialized.
*/
private
static
class
DeserializationChecker
implements
ObjectInputFilter
{
private
static
final
int
MAX_NESTED_DEPTH
=
2
;
@Override
public
ObjectInputFilter
.
Status
checkInput
(
ObjectInputFilter
.
FilterInfo
info
)
{
// First run a custom filter
long
nestedDepth
=
info
.
depth
();
if
((
nestedDepth
==
1
&&
info
.
serialClass
()
!=
SealedObjectForKeyProtector
.
class
)
||
nestedDepth
>
MAX_NESTED_DEPTH
)
{
return
Status
.
REJECTED
;
}
// Next run the default filter, if available
ObjectInputFilter
defaultFilter
=
ObjectInputFilter
.
Config
.
getSerialFilter
();
if
(
defaultFilter
!=
null
)
{
return
defaultFilter
.
checkInput
(
info
);
}
return
Status
.
UNDECIDED
;
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录