RFR 8157308: DRBG serialization fix
Sean Mullan
sean.mullan at oracle.com
Thu Jun 2 16:09:23 UTC 2016
For the test/sun/security/provider/SecureRandom/AbstractDrbgSpec.java
that was removed, are you still getting adequate test coverage somewhere
else on the SecureRandom API tests this test was checking?
Otherwise this looks good, though may I suggest you adjust the bug
synopsis to be less generic? How about: "Make AbstractDrbg
non-Serializable".
--Sean
On 05/23/2016 06:39 PM, Wang Weijun wrote:
> Ping again.
>
>> 在 2016年5月19日,16:21,Wang Weijun <weijun.wang at oracle.com> 写道:
>>
>> Please take a review at
>>
>> http://cr.openjdk.java.net/~weijun/8157308/webrev.00/
>>
>> Now that DRBG does not save any internal state during
>> serialization, all DRBG implementations (HashDrbg, HmacDrbg,
>> CtrDrbg) still extends SecureRandomSpi and contain quite some
>> @serial fields. If some of them is corrupted a deserialized DRBG
>> may run expectedly, it also prevents class evolution.
>>
>> The fix is to make AbstractDrbg no more a SecureRandomSpi child so
>> no more serializable. DRBG is still a SecureRandomSpi child and its
>> only @serial field is MoreDrbgParameters mdp. MoreDrbgParamaters is
>> also made serializable.
>>
>> One new test is added. Since AbstractDrbg is no longer a
>> SecureRandomSpi, its child class can no longer be registered in a
>> SecureRandom provider, and the AbstractDrbgSpec.java test is
>> removed.
>>
>> Thanks Max
>>
>
More information about the security-dev
mailing list