RFR 8157308: DRBG serialization fix
Wang Weijun
weijun.wang at oracle.com
Thu May 19 08:21:25 UTC 2016
Please take a review at
http://cr.openjdk.java.net/~weijun/8157308/webrev.00/
Now that DRBG does not save any internal state during serialization, all DRBG implementations (HashDrbg, HmacDrbg, CtrDrbg) still extends SecureRandomSpi and contain quite some @serial fields. If some of them is corrupted a deserialized DRBG may run expectedly, it also prevents class evolution.
The fix is to make AbstractDrbg no more a SecureRandomSpi child so no more serializable. DRBG is still a SecureRandomSpi child and its only @serial field is MoreDrbgParameters mdp. MoreDrbgParamaters is also made serializable.
One new test is added. Since AbstractDrbg is no longer a SecureRandomSpi, its child class can no longer be registered in a SecureRandom provider, and the AbstractDrbgSpec.java test is removed.
Thanks
Max
More information about the security-dev
mailing list