提交 d364bdb8 编写于 作者: W weijun

8241379: Update JCEKS support

Reviewed-by: ahgross, mullan, rhalade
上级 c5d47660
/*
* Copyright (c) 1998, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -922,8 +922,6 @@ public final class JceKeyStore extends KeyStoreSpi {
*/
private static class DeserializationChecker implements ObjectInputFilter {
private static final int MAX_NESTED_DEPTH = 2;
// Full length of keystore, anything inside a SecretKeyEntry should not
// be bigger. Otherwise, must be illegal.
private final int fullLength;
......@@ -936,16 +934,29 @@ public final class JceKeyStore extends KeyStoreSpi {
public ObjectInputFilter.Status
checkInput(ObjectInputFilter.FilterInfo info) {
if (info.arrayLength() > fullLength) {
return Status.REJECTED;
}
// First run a custom filter
long nestedDepth = info.depth();
if ((nestedDepth == 1 &&
info.serialClass() != SealedObjectForKeyProtector.class) ||
info.arrayLength() > fullLength ||
(nestedDepth > MAX_NESTED_DEPTH &&
info.serialClass() != null &&
info.serialClass() != Object.class)) {
Class<?> clazz = info.serialClass();
switch((int)info.depth()) {
case 1:
if (clazz != SealedObjectForKeyProtector.class) {
return Status.REJECTED;
}
break;
case 2:
if (clazz != null && clazz != SealedObject.class
&& clazz != byte[].class) {
return Status.REJECTED;
}
break;
default:
if (clazz != null && clazz != Object.class) {
return Status.REJECTED;
}
break;
}
// Next run the default filter, if available
ObjectInputFilter defaultFilter =
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册