RFR 8157308: DRBG serialization fix
Wang Weijun
weijun.wang at oracle.com
Fri Jun 3 06:12:36 UTC 2016
Webrev updated at
http://cr.openjdk.java.net/~weijun/8157308/webrev.01/
AbstractDrbg is an internal class so I have to patch the JDK itself.
Thanks
Max
> On Jun 3, 2016, at 12:09 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> For the test/sun/security/provider/SecureRandom/AbstractDrbgSpec.java that was removed, are you still getting adequate test coverage somewhere else on the SecureRandom API tests this test was checking?
>
> Otherwise this looks good, though may I suggest you adjust the bug synopsis to be less generic? How about: "Make AbstractDrbg non-Serializable".
>
> --Sean
>
> On 05/23/2016 06:39 PM, Wang Weijun wrote:
>> Ping again.
>>
>>> 在 2016年5月19日,16:21,Wang Weijun <weijun.wang at oracle.com> 写道:
>>>
>>> Please take a review at
>>>
>>> http://cr.openjdk.java.net/~weijun/8157308/webrev.00/
>>>
>>> Now that DRBG does not save any internal state during
>>> serialization, all DRBG implementations (HashDrbg, HmacDrbg,
>>> CtrDrbg) still extends SecureRandomSpi and contain quite some
>>> @serial fields. If some of them is corrupted a deserialized DRBG
>>> may run expectedly, it also prevents class evolution.
>>>
>>> The fix is to make AbstractDrbg no more a SecureRandomSpi child so
>>> no more serializable. DRBG is still a SecureRandomSpi child and its
>>> only @serial field is MoreDrbgParameters mdp. MoreDrbgParamaters is
>>> also made serializable.
>>>
>>> One new test is added. Since AbstractDrbg is no longer a
>>> SecureRandomSpi, its child class can no longer be registered in a
>>> SecureRandom provider, and the AbstractDrbgSpec.java test is
>>> removed.
>>>
>>> Thanks Max
>>>
>>
More information about the security-dev
mailing list