55 }
56
57 AlgorithmParameters getParameters() {
58 AlgorithmParameters params = null;
59 if (super.encodedParams != null) {
60 try {
61 params = AlgorithmParameters.getInstance("PBE",
62 SunJCE.getInstance());
63 params.init(super.encodedParams);
64 } catch (NoSuchAlgorithmException nsae) {
65 throw new RuntimeException(
66 "SunJCE provider is not configured properly");
67 } catch (IOException io) {
68 throw new RuntimeException("Parameter failure: "+
69 io.getMessage());
70 }
71 }
72 return params;
73 }
74
75 final Key getKey(Cipher c)
76 throws IOException, ClassNotFoundException, IllegalBlockSizeException,
77 BadPaddingException {
78
79 try (ObjectInputStream ois = SharedSecrets.getJavaxCryptoSealedObjectAccess()
80 .getExtObjectInputStream(this, c)) {
81 AccessController.doPrivileged(
82 (PrivilegedAction<Void>) () -> {
83 ois.setObjectInputFilter(DeserializationChecker.ONE_FILTER);
84 return null;
85 });
86 try {
87 @SuppressWarnings("unchecked")
88 Key t = (Key) ois.readObject();
89 return t;
90 } catch (InvalidClassException ice) {
91 String msg = ice.getMessage();
92 if (msg.contains("REJECTED")) {
93 throw new IOException("Rejected by the"
94 + " jceks.key.serialFilter or jdk.serialFilter"
95 + " property", ice);
96 } else {
97 throw ice;
98 }
99 }
100 }
101 }
102
103 /**
104 * The filter for the content of a SealedObjectForKeyProtector.
105 *
106 * First, the jceks.key.serialFilter will be consulted. If the result
107 * is UNDECIDED, the system level jdk.serialFilter will be consulted.
108 */
109 private static class DeserializationChecker implements ObjectInputFilter {
110
111 private static final ObjectInputFilter ONE_FILTER;
112
113 static {
114 String prop = AccessController.doPrivileged(
115 (PrivilegedAction<String>) () -> {
116 String tmp = System.getProperty(KEY_SERIAL_FILTER);
117 if (tmp != null) {
118 return tmp;
119 } else {
120 return Security.getProperty(KEY_SERIAL_FILTER);
121 }
122 });
123 ONE_FILTER = new DeserializationChecker(prop == null ? null
124 : ObjectInputFilter.Config.createFilter(prop));
125 }
126
127 private final ObjectInputFilter base;
128
129 private DeserializationChecker(ObjectInputFilter base) {
130 this.base = base;
131 }
132
133 @Override
134 public ObjectInputFilter.Status checkInput(
135 ObjectInputFilter.FilterInfo info) {
136
137 if (info.serialClass() == Object.class) {
138 return Status.UNDECIDED;
139 }
140
141 if (base != null) {
142 Status result = base.checkInput(info);
143 if (result != Status.UNDECIDED) {
144 return result;
145 }
146 }
147
148 ObjectInputFilter defaultFilter =
149 ObjectInputFilter.Config.getSerialFilter();
150 if (defaultFilter != null) {
151 return defaultFilter.checkInput(info);
152 }
153
154 return Status.UNDECIDED;
155 }
156 }
157 }
|
55 }
56
57 AlgorithmParameters getParameters() {
58 AlgorithmParameters params = null;
59 if (super.encodedParams != null) {
60 try {
61 params = AlgorithmParameters.getInstance("PBE",
62 SunJCE.getInstance());
63 params.init(super.encodedParams);
64 } catch (NoSuchAlgorithmException nsae) {
65 throw new RuntimeException(
66 "SunJCE provider is not configured properly");
67 } catch (IOException io) {
68 throw new RuntimeException("Parameter failure: "+
69 io.getMessage());
70 }
71 }
72 return params;
73 }
74
75 final Key getKey(Cipher c, int maxLength)
76 throws IOException, ClassNotFoundException, IllegalBlockSizeException,
77 BadPaddingException {
78
79 try (ObjectInputStream ois = SharedSecrets.getJavaxCryptoSealedObjectAccess()
80 .getExtObjectInputStream(this, c)) {
81 AccessController.doPrivileged(
82 (PrivilegedAction<Void>) () -> {
83 ois.setObjectInputFilter(new DeserializationChecker(maxLength));
84 return null;
85 });
86 try {
87 @SuppressWarnings("unchecked")
88 Key t = (Key) ois.readObject();
89 return t;
90 } catch (InvalidClassException ice) {
91 String msg = ice.getMessage();
92 if (msg.contains("REJECTED")) {
93 throw new IOException("Rejected by the"
94 + " jceks.key.serialFilter or jdk.serialFilter"
95 + " property", ice);
96 } else {
97 throw ice;
98 }
99 }
100 }
101 }
102
103 /**
104 * The filter for the content of a SealedObjectForKeyProtector.
105 *
106 * First, the jceks.key.serialFilter will be consulted. If the result
107 * is UNDECIDED, the system level jdk.serialFilter will be consulted.
108 */
109 private static class DeserializationChecker implements ObjectInputFilter {
110
111 private static final ObjectInputFilter OWN_FILTER;
112
113 static {
114 String prop = AccessController.doPrivileged(
115 (PrivilegedAction<String>) () -> {
116 String tmp = System.getProperty(KEY_SERIAL_FILTER);
117 if (tmp != null) {
118 return tmp;
119 } else {
120 return Security.getProperty(KEY_SERIAL_FILTER);
121 }
122 });
123 OWN_FILTER = prop == null
124 ? null
125 : ObjectInputFilter.Config.createFilter(prop);
126 }
127
128 // Maximum possible length of anything inside
129 private final int maxLength;
130
131 private DeserializationChecker(int maxLength) {
132 this.maxLength = maxLength;
133 }
134
135 @Override
136 public ObjectInputFilter.Status checkInput(
137 ObjectInputFilter.FilterInfo info) {
138
139 if (info.arrayLength() > maxLength) {
140 return Status.REJECTED;
141 }
142
143 if (info.serialClass() == Object.class) {
144 return Status.UNDECIDED;
145 }
146
147 if (OWN_FILTER != null) {
148 Status result = OWN_FILTER.checkInput(info);
149 if (result != Status.UNDECIDED) {
150 return result;
151 }
152 }
153
154 ObjectInputFilter defaultFilter =
155 ObjectInputFilter.Config.getSerialFilter();
156 if (defaultFilter != null) {
157 return defaultFilter.checkInput(info);
158 }
159
160 return Status.UNDECIDED;
161 }
162 }
163 }
|