RFR 8157308: DRBG serialization fix
Wang Weijun
weijun.wang at oracle.com
Mon May 23 22:39:38 UTC 2016
Ping again.
> 在 2016年5月19日,16:21,Wang Weijun <weijun.wang at oracle.com> 写道:
>
> Please take a review at
>
> http://cr.openjdk.java.net/~weijun/8157308/webrev.00/
>
> Now that DRBG does not save any internal state during serialization, all DRBG implementations (HashDrbg, HmacDrbg, CtrDrbg) still extends SecureRandomSpi and contain quite some @serial fields. If some of them is corrupted a deserialized DRBG may run expectedly, it also prevents class evolution.
>
> The fix is to make AbstractDrbg no more a SecureRandomSpi child so no more serializable. DRBG is still a SecureRandomSpi child and its only @serial field is MoreDrbgParameters mdp. MoreDrbgParamaters is also made serializable.
>
> One new test is added. Since AbstractDrbg is no longer a SecureRandomSpi, its child class can no longer be registered in a SecureRandom provider, and the AbstractDrbgSpec.java test is removed.
>
> Thanks
> Max
>
More information about the security-dev
mailing list