+ * JDK 1.5+ objects use KeyReps instead.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ stream.defaultReadObject();
+ if ((key == null) || (key.length == 0)) {
+ throw new InvalidObjectException("key not deserializable");
+ }
+ this.key = key.clone();
+ if ((encodedKey == null) || (encodedKey.length == 0)) {
+ throw new InvalidObjectException(
+ "encoded key not deserializable");
+ }
+ this.encodedKey = encodedKey.clone();
+ }
}
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/DHPublicKey.java b/src/java.base/share/classes/com/sun/crypto/provider/DHPublicKey.java
index 78d7d71b1c1..7a0607f1227 100644
--- a/src/java.base/share/classes/com/sun/crypto/provider/DHPublicKey.java
+++ b/src/java.base/share/classes/com/sun/crypto/provider/DHPublicKey.java
@@ -39,8 +39,6 @@ import sun.security.util.*;
* A public key in X.509 format for the Diffie-Hellman key agreement algorithm.
*
* @author Jan Luehe
- *
- *
* @see DHPrivateKey
* @see javax.crypto.KeyAgreement
*/
@@ -48,7 +46,7 @@ final class DHPublicKey implements PublicKey,
javax.crypto.interfaces.DHPublicKey, Serializable {
@java.io.Serial
- static final long serialVersionUID = 7647557958927458271L;
+ private static final long serialVersionUID = 7647557958927458271L;
// the public key
private BigInteger y;
@@ -60,10 +58,10 @@ javax.crypto.interfaces.DHPublicKey, Serializable {
private byte[] encodedKey;
// the prime modulus
- private BigInteger p;
+ private final BigInteger p;
// the base generator
- private BigInteger g;
+ private final BigInteger g;
// the private-value length (optional)
private int l;
@@ -313,4 +311,28 @@ javax.crypto.interfaces.DHPublicKey, Serializable {
getFormat(),
getEncoded());
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * JDK 1.5+ objects use KeyReps instead.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ stream.defaultReadObject();
+ if ((key == null) || (key.length == 0)) {
+ throw new InvalidObjectException("key not deserializable");
+ }
+ this.key = key.clone();
+ if ((encodedKey == null) || (encodedKey.length == 0)) {
+ throw new InvalidObjectException(
+ "encoded key not deserializable");
+ }
+ this.encodedKey = encodedKey.clone();
+ }
}
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java b/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java
index 71efeb535aa..480a0810425 100644
--- a/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java
+++ b/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java
@@ -25,6 +25,8 @@
package com.sun.crypto.provider;
+import java.io.IOException;
+import java.io.InvalidObjectException;
import java.lang.ref.Reference;
import java.lang.ref.Cleaner.Cleanable;
import java.security.MessageDigest;
@@ -46,11 +48,11 @@ import jdk.internal.ref.CleanerFactory;
final class PBEKey implements SecretKey {
@java.io.Serial
- static final long serialVersionUID = -2234768909660948176L;
+ private static final long serialVersionUID = -2234768909660948176L;
private byte[] key;
- private String type;
+ private final String type;
private transient Cleanable cleanable;
@@ -162,17 +164,35 @@ final class PBEKey implements SecretKey {
}
/**
- * readObject is called to restore the state of this key from
- * a stream.
+ * Restores the state of this object from the stream.
+ *
+ * @param s the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
*/
@java.io.Serial
private void readObject(java.io.ObjectInputStream s)
- throws java.io.IOException, ClassNotFoundException
+ throws IOException, ClassNotFoundException
{
s.defaultReadObject();
+ if (key == null) {
+ throw new InvalidObjectException(
+ "PBEKey couldn't be deserialized");
+ }
byte[] temp = key;
key = temp.clone();
Arrays.fill(temp, (byte)0x00);
+
+ // Accept "\0" to signify "zero-length password with no terminator".
+ if (!(key.length == 1 && key[0] == 0)) {
+ for (int i = 0; i < key.length; i++) {
+ if ((key[i] < '\u0020') || (key[i] > '\u007E')) {
+ throw new InvalidObjectException(
+ "PBEKey had non-ASCII chars");
+ }
+ }
+ }
+
// Use cleaner to zero the key when no longer referenced
final byte[] k = this.key;
cleanable = CleanerFactory.cleaner().register(this,
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
index 445a8a1814c..8e85221f4bb 100644
--- a/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
+++ b/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
@@ -25,7 +25,7 @@
package com.sun.crypto.provider;
-import java.io.ObjectStreamException;
+import java.io.*;
import java.lang.ref.Reference;
import java.lang.ref.Cleaner;
import java.nio.ByteBuffer;
@@ -58,16 +58,16 @@ import jdk.internal.ref.CleanerFactory;
final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
@java.io.Serial
- static final long serialVersionUID = -2234868909660948157L;
+ private static final long serialVersionUID = -2234868909660948157L;
- private char[] passwd;
- private byte[] salt;
- private int iterCount;
+ private final char[] passwd;
+ private final byte[] salt;
+ private final int iterCount;
private byte[] key;
// The following fields are not Serializable. See writeReplace method.
- private transient Mac prf;
- private transient Cleaner.Cleanable cleaner;
+ private final transient Mac prf;
+ private final transient Cleaner.Cleanable cleaner;
private static byte[] getPasswordBytes(char[] passwd) {
CharBuffer cb = CharBuffer.wrap(passwd);
@@ -141,13 +141,14 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
int intR = keyLength - (intL - 1)*hlen; // residue
byte[] ui = new byte[hlen];
byte[] ti = new byte[hlen];
+ String algName = prf.getAlgorithm();
// SecretKeySpec cannot be used, since password can be empty here.
SecretKey macKey = new SecretKey() {
@java.io.Serial
private static final long serialVersionUID = 7874493593505141603L;
@Override
public String getAlgorithm() {
- return prf.getAlgorithm();
+ return algName;
}
@Override
public String getFormat() {
@@ -160,18 +161,27 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
@Override
public int hashCode() {
return Arrays.hashCode(password) * 41 +
- prf.getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode();
+ algName.toLowerCase(Locale.ENGLISH).hashCode();
}
@Override
public boolean equals(Object obj) {
if (this == obj) return true;
if (obj == null || this.getClass() != obj.getClass()) return false;
SecretKey sk = (SecretKey)obj;
- return prf.getAlgorithm().equalsIgnoreCase(
+ return algName.equalsIgnoreCase(
sk.getAlgorithm()) &&
MessageDigest.isEqual(password, sk.getEncoded());
}
+ // This derived key can't be deserialized.
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "PBKDF2KeyImpl SecretKeys are not " +
+ "directly deserializable");
+ }
};
+
prf.init(macKey);
byte[] ibytes = new byte[4];
@@ -303,4 +313,20 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
Reference.reachabilityFence(this);
}
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this class is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "PBKDF2KeyImpl keys are not directly deserializable"); + } } diff --git a/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java b/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java index 203d54495f2..14ada1699c1 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.*; import java.security.spec.AlgorithmParameterSpec; import java.util.Arrays; @@ -62,11 +65,11 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi { @SuppressWarnings("deprecation") protected void engineInit(AlgorithmParameterSpec params, SecureRandom random) throws InvalidAlgorithmParameterException { - if (params instanceof TlsMasterSecretParameterSpec == false) { + if (!(params instanceof TlsMasterSecretParameterSpec)) { throw new InvalidAlgorithmParameterException(MSG); } this.spec = (TlsMasterSecretParameterSpec)params; - if ("RAW".equals(spec.getPremasterSecret().getFormat()) == false) { + if (!"RAW".equals(spec.getPremasterSecret().getFormat())) { throw new InvalidAlgorithmParameterException( "Key format must be RAW"); } @@ -191,6 +194,22 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi { return key.clone(); } - } + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("TlsMasterSecretKey is null"); + } + key = key.clone(); + } + } } diff --git a/src/java.base/share/classes/java/security/CodeSigner.java b/src/java.base/share/classes/java/security/CodeSigner.java index 76c8be058ba..d14c215b6cc 100644 --- a/src/java.base/share/classes/java/security/CodeSigner.java +++ b/src/java.base/share/classes/java/security/CodeSigner.java @@ -142,9 +142,9 @@ public final class CodeSigner implements Serializable { public String toString() { StringBuilder sb = new StringBuilder(); sb.append("("); - sb.append("Signer: " + signerCertPath.getCertificates().get(0)); + sb.append("Signer: ").append(signerCertPath.getCertificates().get(0)); if (timestamp != null) { - sb.append("timestamp: " + timestamp); + sb.append("timestamp: ").append(timestamp); } sb.append(")"); return sb.toString(); @@ -160,8 +160,11 @@ public final class CodeSigner implements Serializable { */ @java.io.Serial private void readObject(ObjectInputStream ois) - throws IOException, ClassNotFoundException { - ois.defaultReadObject(); - myhash = -1; + throws IOException, ClassNotFoundException { + ois.defaultReadObject(); + if (signerCertPath == null) { + throw new InvalidObjectException("signerCertPath is null"); + } + myhash = -1; } } diff --git a/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java b/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java index d1326f89175..e76a51e5d68 100644 --- a/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java +++ b/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java @@ -28,6 +28,9 @@ package javax.crypto.spec; import jdk.internal.access.SharedSecrets; import javax.crypto.SecretKey; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.MessageDigest; import java.security.spec.KeySpec; import java.util.Arrays; @@ -60,7 +63,7 @@ public class SecretKeySpec implements KeySpec, SecretKey { * * @serial */ - private final byte[] key; + private byte[] key; /** * The name of the algorithm associated with this key. @@ -251,4 +254,26 @@ public class SecretKeySpec implements KeySpec, SecretKey { void clear() { Arrays.fill(key, (byte)0); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if (key == null || algorithm == null) { + throw new InvalidObjectException("Missing argument"); + } + + this.key = key.clone(); + if (key.length == 0) { + throw new InvalidObjectException("Invalid key length"); + } + } } diff --git a/src/java.base/share/classes/javax/security/auth/callback/ChoiceCallback.java b/src/java.base/share/classes/javax/security/auth/callback/ChoiceCallback.java index dd6072f5db8..c005b4ea02b 100644 --- a/src/java.base/share/classes/javax/security/auth/callback/ChoiceCallback.java +++ b/src/java.base/share/classes/javax/security/auth/callback/ChoiceCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,10 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; + /** *
Underlying security services instantiate and pass a * {@code ChoiceCallback} to the {@code handle} @@ -48,7 +52,7 @@ public class ChoiceCallback implements Callback, java.io.Serializable { * @serial the list of choices * @since 1.4 */ - private final String[] choices; + private String[] choices; /** * @serial the choice to be used as the default choice * @since 1.4 @@ -72,7 +76,6 @@ public class ChoiceCallback implements Callback, java.io.Serializable { * a list of choices, a default choice, and a boolean specifying * whether multiple selections from the list of choices are allowed. * - * * @param prompt the prompt used to describe the list of choices. * * @param choices the list of choices. The array is cloned to protect @@ -104,15 +107,15 @@ public class ChoiceCallback implements Callback, java.io.Serializable { defaultChoice < 0 || defaultChoice >= choices.length) throw new IllegalArgumentException(); + this.prompt = prompt; + this.defaultChoice = defaultChoice; + this.multipleSelectionsAllowed = multipleSelectionsAllowed; + + this.choices = choices.clone(); for (int i = 0; i < choices.length; i++) { if (choices[i] == null || choices[i].isEmpty()) throw new IllegalArgumentException(); } - - this.prompt = prompt; - this.choices = choices.clone(); - this.defaultChoice = defaultChoice; - this.multipleSelectionsAllowed = multipleSelectionsAllowed; } /** @@ -196,4 +199,38 @@ public class ChoiceCallback implements Callback, java.io.Serializable { public int[] getSelectedIndexes() { return selections == null ? null : selections.clone(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if ((prompt == null) || prompt.isEmpty() || + (choices == null) || (choices.length == 0) || + (defaultChoice < 0) || (defaultChoice >= choices.length)) { + throw new InvalidObjectException( + "Missing/invalid prompt/choices"); + } + + choices = choices.clone(); + for (int i = 0; i < choices.length; i++) { + if ((choices[i] == null) || choices[i].isEmpty()) + throw new InvalidObjectException("Null/empty choices"); + } + + if (selections != null) { + selections = selections.clone(); + if (!multipleSelectionsAllowed && (selections.length != 1)) { + throw new InvalidObjectException( + "Multiple selections not allowed"); + } + } + } } diff --git a/src/java.base/share/classes/javax/security/auth/callback/ConfirmationCallback.java b/src/java.base/share/classes/javax/security/auth/callback/ConfirmationCallback.java index 926a3d889e2..437ce7041a7 100644 --- a/src/java.base/share/classes/javax/security/auth/callback/ConfirmationCallback.java +++ b/src/java.base/share/classes/javax/security/auth/callback/ConfirmationCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.ObjectInputStream; + /** *
Underlying security services instantiate and pass a * {@code ConfirmationCallback} to the {@code handle} @@ -147,7 +150,7 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { * @serial * @since 1.4 */ - private final String[] options; + private String[] options; /** * @serial * @since 1.4 @@ -252,16 +255,16 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { defaultOption < 0 || defaultOption >= options.length) throw new IllegalArgumentException(); + this.prompt = null; + this.messageType = messageType; + this.optionType = UNSPECIFIED_OPTION; + this.defaultOption = defaultOption; + + this.options = options.clone(); for (int i = 0; i < options.length; i++) { if (options[i] == null || options[i].isEmpty()) throw new IllegalArgumentException(); } - - this.prompt = null; - this.messageType = messageType; - this.optionType = UNSPECIFIED_OPTION; - this.options = options.clone(); - this.defaultOption = defaultOption; } /** @@ -372,16 +375,16 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { defaultOption < 0 || defaultOption >= options.length) throw new IllegalArgumentException(); + this.prompt = prompt; + this.messageType = messageType; + this.optionType = UNSPECIFIED_OPTION; + this.defaultOption = defaultOption; + + this.options = options.clone(); for (int i = 0; i < options.length; i++) { if (options[i] == null || options[i].isEmpty()) throw new IllegalArgumentException(); } - - this.prompt = prompt; - this.messageType = messageType; - this.optionType = UNSPECIFIED_OPTION; - this.options = options.clone(); - this.defaultOption = defaultOption; } /** @@ -487,4 +490,20 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { public int getSelectedIndex() { return selection; } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (options != null) { + options = options.clone(); + } + } } diff --git a/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java b/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java index b0758c012b2..bbe7ab882a6 100644 --- a/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java +++ b/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.lang.ref.Cleaner; import java.util.Arrays; @@ -157,4 +160,27 @@ public class PasswordCallback implements Callback, java.io.Serializable { private static Runnable cleanerFor(char[] password) { return () -> Arrays.fill(password, ' '); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if (prompt == null || prompt.isEmpty()) { + throw new InvalidObjectException("Missing prompt"); + } + + if (inputPassword != null) { + inputPassword = inputPassword.clone(); + cleanable = CleanerFactory.cleaner().register( + this, cleanerFor(inputPassword)); + } + } } diff --git a/src/java.base/share/classes/sun/security/ec/ECPrivateKeyImpl.java b/src/java.base/share/classes/sun/security/ec/ECPrivateKeyImpl.java index a2a54391c1f..b1b8b2d188f 100644 --- a/src/java.base/share/classes/sun/security/ec/ECPrivateKeyImpl.java +++ b/src/java.base/share/classes/sun/security/ec/ECPrivateKeyImpl.java @@ -26,6 +26,8 @@ package sun.security.ec; import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.math.BigInteger; import java.security.*; @@ -41,7 +43,7 @@ import sun.security.pkcs.PKCS8Key; /** * Key implementation for EC private keys. - * + *
* ASN.1 syntax for EC private keys from SEC 1 v1.5 (draft): * *
@@ -64,6 +66,7 @@ import sun.security.pkcs.PKCS8Key;
*/
public final class ECPrivateKeyImpl extends PKCS8Key implements ECPrivateKey {
+ @java.io.Serial
private static final long serialVersionUID = 88695385615075129L;
private BigInteger s; // private value
@@ -218,4 +221,20 @@ public final class ECPrivateKeyImpl extends PKCS8Key implements ECPrivateKey {
"Unexpected error calculating public key", e);
}
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "ECPrivateKeyImpl keys are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/ec/ECPublicKeyImpl.java b/src/java.base/share/classes/sun/security/ec/ECPublicKeyImpl.java
index 8a363607d42..8f099f1e52f 100644
--- a/src/java.base/share/classes/sun/security/ec/ECPublicKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/ec/ECPublicKeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,8 @@ package sun.security.ec;
import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
import java.security.*;
import java.security.interfaces.*;
import java.security.spec.*;
@@ -44,6 +46,7 @@ import sun.security.x509.*;
*/
public final class ECPublicKeyImpl extends X509Key implements ECPublicKey {
+ @java.io.Serial
private static final long serialVersionUID = -2462037275160462289L;
@SuppressWarnings("serial") // Type of field is not
@@ -123,10 +126,27 @@ public final class ECPublicKeyImpl extends X509Key implements ECPublicKey {
+ "\n parameters: " + params;
}
- protected Object writeReplace() throws java.io.ObjectStreamException {
+ @java.io.Serial
+ private Object writeReplace() throws java.io.ObjectStreamException {
return new KeyRep(KeyRep.Type.PUBLIC,
getAlgorithm(),
getFormat(),
getEncoded());
}
-}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "ECPublicKeyImpl keys are not directly deserializable");
+ }
+}
\ No newline at end of file
diff --git a/src/java.base/share/classes/sun/security/ec/XDHPrivateKeyImpl.java b/src/java.base/share/classes/sun/security/ec/XDHPrivateKeyImpl.java
index 6eff482816b..dfc0d0f6cd3 100644
--- a/src/java.base/share/classes/sun/security/ec/XDHPrivateKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/ec/XDHPrivateKeyImpl.java
@@ -37,6 +37,7 @@ import sun.security.util.*;
public final class XDHPrivateKeyImpl extends PKCS8Key implements XECPrivateKey {
+ @java.io.Serial
private static final long serialVersionUID = 1L;
@SuppressWarnings("serial") // Type of field is not Serializable
@@ -114,5 +115,20 @@ public final class XDHPrivateKeyImpl extends PKCS8Key implements XECPrivateKey {
"Unexpected error calculating public key", e);
}
}
-}
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "XDHPrivateKeyImpl keys are not directly deserializable");
+ }
+}
diff --git a/src/java.base/share/classes/sun/security/ec/XDHPublicKeyImpl.java b/src/java.base/share/classes/sun/security/ec/XDHPublicKeyImpl.java
index f1f3c88c1be..e6f8961f412 100644
--- a/src/java.base/share/classes/sun/security/ec/XDHPublicKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/ec/XDHPublicKeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
package sun.security.ec;
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyRep;
@@ -39,6 +42,7 @@ import sun.security.x509.X509Key;
public final class XDHPublicKeyImpl extends X509Key implements XECPublicKey {
+ @java.io.Serial
private static final long serialVersionUID = 1L;
private final BigInteger u;
@@ -107,7 +111,8 @@ public final class XDHPublicKeyImpl extends X509Key implements XECPublicKey {
return "XDH";
}
- protected Object writeReplace() throws java.io.ObjectStreamException {
+ @java.io.Serial
+ private Object writeReplace() throws java.io.ObjectStreamException {
return new KeyRep(KeyRep.Type.PUBLIC,
getAlgorithm(),
getFormat(),
@@ -130,5 +135,21 @@ public final class XDHPublicKeyImpl extends X509Key implements XECPublicKey {
j--;
}
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "XDHPublicKeyImpl keys are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/ec/ed/EdDSAPrivateKeyImpl.java b/src/java.base/share/classes/sun/security/ec/ed/EdDSAPrivateKeyImpl.java
index 4adea3f857d..661ec9ed1b7 100644
--- a/src/java.base/share/classes/sun/security/ec/ed/EdDSAPrivateKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/ec/ed/EdDSAPrivateKeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
package sun.security.ec.ed;
import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
import java.security.InvalidKeyException;
import java.security.interfaces.EdECPrivateKey;
import java.util.Optional;
@@ -38,6 +40,7 @@ import sun.security.util.*;
public final class EdDSAPrivateKeyImpl
extends PKCS8Key implements EdECPrivateKey {
+ @java.io.Serial
private static final long serialVersionUID = 1L;
@SuppressWarnings("serial") // Type of field is not Serializable
@@ -102,4 +105,20 @@ public final class EdDSAPrivateKeyImpl
public Optional getBytes() {
return Optional.of(getKey());
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "EdDSAPrivateKeyImpl keys are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/ec/ed/EdDSAPublicKeyImpl.java b/src/java.base/share/classes/sun/security/ec/ed/EdDSAPublicKeyImpl.java
index c1cba3a1fb1..671b53e1c6e 100644
--- a/src/java.base/share/classes/sun/security/ec/ed/EdDSAPublicKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/ec/ed/EdDSAPublicKeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
package sun.security.ec.ed;
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyRep;
@@ -39,6 +42,7 @@ import sun.security.x509.X509Key;
public final class EdDSAPublicKeyImpl extends X509Key implements EdECPublicKey {
+ @java.io.Serial
private static final long serialVersionUID = 1L;
@SuppressWarnings("serial") // Type of field is not Serializable
@@ -108,7 +112,8 @@ public final class EdDSAPublicKeyImpl extends X509Key implements EdECPublicKey {
return "EdDSA";
}
- protected Object writeReplace() throws java.io.ObjectStreamException {
+ @java.io.Serial
+ private Object writeReplace() throws java.io.ObjectStreamException {
return new KeyRep(KeyRep.Type.PUBLIC, getAlgorithm(), getFormat(),
getEncoded());
}
@@ -129,4 +134,20 @@ public final class EdDSAPublicKeyImpl extends X509Key implements EdECPublicKey {
j--;
}
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "EdDSAPublicKeyImpl keys are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/provider/DSAPublicKeyImpl.java b/src/java.base/share/classes/sun/security/provider/DSAPublicKeyImpl.java
index 2c402ef2863..ca84d202c14 100644
--- a/src/java.base/share/classes/sun/security/provider/DSAPublicKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/provider/DSAPublicKeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,17 +25,20 @@
package sun.security.provider;
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
import java.math.BigInteger;
import java.security.KeyRep;
import java.security.InvalidKeyException;
/**
* An X.509 public key for the Digital Signature Algorithm.
- *
+ *
* The difference between DSAPublicKeyImpl and DSAPublicKey is that
* DSAPublicKeyImpl calls writeReplace with KeyRep, and DSAPublicKey
* calls writeObject.
- *
+ *
* See the comments in DSAKeyFactory, 4532506, and 6232513.
*
*/
@@ -72,10 +75,26 @@ public final class DSAPublicKeyImpl extends DSAPublicKey {
}
@java.io.Serial
- protected Object writeReplace() throws java.io.ObjectStreamException {
+ private Object writeReplace() throws java.io.ObjectStreamException {
return new KeyRep(KeyRep.Type.PUBLIC,
getAlgorithm(),
getFormat(),
getEncoded());
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "DSAPublicKeyImpl keys are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/provider/PolicyFile.java b/src/java.base/share/classes/sun/security/provider/PolicyFile.java
index 2a5c13b8bc2..f218591ce11 100644
--- a/src/java.base/share/classes/sun/security/provider/PolicyFile.java
+++ b/src/java.base/share/classes/sun/security/provider/PolicyFile.java
@@ -2098,8 +2098,17 @@ public class PolicyFile extends java.security.Policy {
this.actions.equals(that.actions)))
return false;
- if (this.certs.length != that.certs.length)
+ if ((this.certs == null) && (that.certs == null)) {
+ return true;
+ }
+
+ if ((this.certs == null) || (that.certs == null)) {
return false;
+ }
+
+ if (this.certs.length != that.certs.length) {
+ return false;
+ }
int i,j;
boolean match;
@@ -2163,7 +2172,7 @@ public class PolicyFile extends java.security.Policy {
}
public Certificate[] getCerts() {
- return certs;
+ return (certs == null ? null : certs.clone());
}
/**
@@ -2176,6 +2185,22 @@ public class PolicyFile extends java.security.Policy {
@Override public String toString() {
return "(SelfPermission " + type + " " + name + " " + actions + ")";
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ stream.defaultReadObject();
+ if (certs != null) {
+ this.certs = certs.clone();
+ }
+ }
}
/**
diff --git a/src/java.base/share/classes/sun/security/provider/SecureRandom.java b/src/java.base/share/classes/sun/security/provider/SecureRandom.java
index 5df3adf6ea8..a8d82b649b0 100644
--- a/src/java.base/share/classes/sun/security/provider/SecureRandom.java
+++ b/src/java.base/share/classes/sun/security/provider/SecureRandom.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
package sun.security.provider;
import java.io.IOException;
+import java.io.InvalidObjectException;
import java.security.MessageDigest;
import java.security.SecureRandomSpi;
import java.security.NoSuchAlgorithmException;
@@ -192,7 +193,7 @@ implements java.io.Serializable {
/**
* This static object will be seeded by SeedGenerator, and used
* to seed future instances of SHA1PRNG SecureRandoms.
- *
+ *
* Bloch, Effective Java Second Edition: Item 71
*/
private static class SeederHolder {
@@ -265,18 +266,24 @@ implements java.io.Serializable {
}
/*
- * readObject is called to restore the state of the random object from
- * a stream. We have to create a new instance of MessageDigest, because
+ * This method is called to restore the state of the random object from
+ * a stream.
+ *
+ * We have to create a new instance of {@code MessageDigest}, because
* it is not included in the stream (it is marked "transient").
- *
- * Note that the engineNextBytes() method invoked on the restored random
- * object will yield the exact same (random) bytes as the original.
+ *
+ * Note that the {@code engineNextBytes()} method invoked on the restored
+ * random object will yield the exact same (random) bytes as the original.
* If you do not want this behaviour, you should re-seed the restored
- * random object, using engineSetSeed().
+ * random object, using {@code engineSetSeed()}.
+ *
+ * @param s the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
*/
@java.io.Serial
private void readObject(java.io.ObjectInputStream s)
- throws IOException, ClassNotFoundException {
+ throws IOException, ClassNotFoundException {
s.defaultReadObject ();
@@ -295,5 +302,34 @@ implements java.io.Serializable {
"internal error: SHA-1 not available.", exc);
}
}
+
+ // Various consistency checks
+ if ((remainder == null) && (remCount > 0)) {
+ throw new InvalidObjectException(
+ "Remainder indicated, but no data available");
+ }
+
+ // Not yet allocated state
+ if (state == null) {
+ if (remainder == null) {
+ return;
+ } else {
+ throw new InvalidObjectException(
+ "Inconsistent buffer allocations");
+ }
+ }
+
+ // Sanity check on sizes/pointer
+ if ((state.length != DIGEST_SIZE) ||
+ ((remainder != null) && (remainder.length != DIGEST_SIZE)) ||
+ (remCount < 0 ) || (remCount >= DIGEST_SIZE)) {
+ throw new InvalidObjectException(
+ "Inconsistent buffer sizes/state");
+ }
+
+ state = state.clone();
+ if (remainder != null) {
+ remainder = remainder.clone();
+ }
}
}
diff --git a/src/java.base/share/classes/sun/security/provider/certpath/X509CertPath.java b/src/java.base/share/classes/sun/security/provider/certpath/X509CertPath.java
index 41da617e4e4..1a9ba8914e2 100644
--- a/src/java.base/share/classes/sun/security/provider/certpath/X509CertPath.java
+++ b/src/java.base/share/classes/sun/security/provider/certpath/X509CertPath.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,9 +25,7 @@
package sun.security.provider.certpath;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
+import java.io.*;
import java.security.cert.CertificateEncodingException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -379,4 +377,20 @@ public class X509CertPath extends CertPath {
public List getCertificates() {
return certs;
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "X509CertPaths are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
index 86e063f95cd..99365640ec7 100644
--- a/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
package sun.security.rsa;
import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
import java.math.BigInteger;
import java.security.*;
@@ -43,7 +45,7 @@ import sun.security.rsa.RSAUtil.KeyType;
* RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in CRT form.
* For non-CRT private keys, see RSAPrivateKeyImpl. We need separate classes
* to ensure correct behavior in instanceof checks, etc.
- *
+ *
* Note: RSA keys must be at least 512 bits long
*
* @see RSAPrivateKeyImpl
@@ -356,4 +358,20 @@ public final class RSAPrivateCrtKeyImpl
throw new InvalidKeyException("Invalid RSA private key", e);
}
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "RSAPrivateCrtKeyImpl keys are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java b/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
index 7285fce33a2..da5474cb26a 100644
--- a/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
package sun.security.rsa;
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
import java.math.BigInteger;
import java.security.*;
@@ -39,10 +42,11 @@ import sun.security.rsa.RSAUtil.KeyType;
/**
* RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in non-CRT
- * form (modulus, private exponent only). For CRT private keys, see
- * RSAPrivateCrtKeyImpl. We need separate classes to ensure correct behavior
- * in instanceof checks, etc.
- *
+ * form (modulus, private exponent only).
+ *
+ * For CRT private keys, see RSAPrivateCrtKeyImpl. We need separate classes
+ * to ensure correct behavior in instanceof checks, etc.
+ *
* Note: RSA keys must be at least 512 bits long
*
* @see RSAPrivateCrtKeyImpl
@@ -141,4 +145,20 @@ public final class RSAPrivateKeyImpl extends PKCS8Key implements RSAPrivateKey {
+ " bits" + "\n params: " + keyParams + "\n modulus: " + n
+ "\n private exponent: " + d;
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "RSAPrivateKeyImpl keys are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java b/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
index 0cff2f6768c..5a0745604d2 100644
--- a/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
+++ b/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
package sun.security.rsa;
import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
import java.math.BigInteger;
import java.security.*;
@@ -39,7 +41,7 @@ import sun.security.rsa.RSAUtil.KeyType;
/**
* RSA public key implementation for "RSA", "RSASSA-PSS" algorithms.
- *
+ *
* Note: RSA keys must be at least 512 bits long
*
* @see RSAPrivateCrtKeyImpl
@@ -233,10 +235,26 @@ public final class RSAPublicKeyImpl extends X509Key implements RSAPublicKey {
}
@java.io.Serial
- protected Object writeReplace() throws java.io.ObjectStreamException {
+ private Object writeReplace() throws java.io.ObjectStreamException {
return new KeyRep(KeyRep.Type.PUBLIC,
getAlgorithm(),
getFormat(),
getEncoded());
}
+
+ /**
+ * Restores the state of this object from the stream.
+ *
+ * Deserialization of this object is not supported.
+ *
+ * @param stream the {@code ObjectInputStream} from which data is read
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a serialized class cannot be loaded
+ */
+ @java.io.Serial
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ throw new InvalidObjectException(
+ "RSAPublicKeyImpl keys are not directly deserializable");
+ }
}
diff --git a/src/java.base/share/classes/sun/security/x509/X509CertImpl.java b/src/java.base/share/classes/sun/security/x509/X509CertImpl.java
index e2e3c2541e7..656e4c168fb 100644
--- a/src/java.base/share/classes/sun/security/x509/X509CertImpl.java
+++ b/src/java.base/share/classes/sun/security/x509/X509CertImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -536,7 +536,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
/**
* Return the requested attribute from the certificate.
- *
+ *
* Note that the X509CertInfo is not cloned for performance reasons.
* Callers must ensure that they do not modify it. All other
* attributes are cloned.
@@ -1218,7 +1218,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
for (GeneralName gname : names.names()) {
GeneralNameInterface name = gname.getName();
List