From acb747a30e2e98fa5917b5362a4ce87b799492b3 Mon Sep 17 00:00:00 2001
From: weijun <unknown>
Date: Fri, 3 Apr 2020 17:24:59 +0800
Subject: [PATCH] 8241379: Update JCEKS support Reviewed-by: ahgross, mullan,
 rhalade

---
 .../com/sun/crypto/provider/JceKeyStore.java  | 33 ++++++++++++-------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java b/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java
index 8c3af7a901..2559bb2b49 100644
--- a/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java
+++ b/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -936,8 +936,6 @@ public final class JceKeyStore extends KeyStoreSpi {
      */
     private static class DeserializationChecker implements ObjectInputFilter {
 
-        private static final int MAX_NESTED_DEPTH = 2;
-
         // Full length of keystore, anything inside a SecretKeyEntry should not
         // be bigger. Otherwise, must be illegal.
         private final int fullLength;
@@ -950,16 +948,29 @@ public final class JceKeyStore extends KeyStoreSpi {
         public ObjectInputFilter.Status
             checkInput(ObjectInputFilter.FilterInfo info) {
 
-            // First run a custom filter
-            long nestedDepth = info.depth();
-            if ((nestedDepth == 1 &&
-                        info.serialClass() != SealedObjectForKeyProtector.class) ||
-                    info.arrayLength() > fullLength ||
-                    (nestedDepth > MAX_NESTED_DEPTH &&
-                        info.serialClass() != null &&
-                        info.serialClass() != Object.class)) {
+            if (info.arrayLength() > fullLength) {
                 return Status.REJECTED;
             }
+            // First run a custom filter
+            Class<?> clazz = info.serialClass();
+            switch((int)info.depth()) {
+                case 1:
+                    if (clazz != SealedObjectForKeyProtector.class) {
+                        return Status.REJECTED;
+                    }
+                    break;
+                case 2:
+                    if (clazz != null && clazz != SealedObject.class
+                            && clazz != byte[].class) {
+                        return Status.REJECTED;
+                    }
+                    break;
+                default:
+                    if (clazz != null && clazz != Object.class) {
+                        return Status.REJECTED;
+                    }
+                    break;
+            }
 
             // Next run the default filter, if available
             ObjectInputFilter defaultFilter =
-- 
GitLab