diff --git a/CHANGELOG.md b/CHANGELOG.md index b82a2418b88..3b6dbf485c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,42 @@ The following sections describe the changes for each release of Amazon Corretto 8. +## Corretto version: 8.392.08.1 +Release Date: October 17, 2023 + +**Target Platforms 1** + ++ RPM-based Linux using glibc 2.12 or later, x86_64 ++ Debian-based Linux using glibc 2.12 or later, x86_64 ++ RPM-based Linux using glibc 2.17 or later, aarch64 ++ Debian-based Linux using glibc 2.17 or later, aarch64 ++ Alpine-based Linux, x86_64 ++ Alpine-based Linux, aarch64 ++ Windows 10 or later, x86, x86_64 ++ macOS 11.0 and later, x86_64 ++ macOS 11.0 and later, aarch64 + +**1.** This is the platform targeted by the build. See [Using Amazon Corretto](https://aws.amazon.com/corretto/faqs/#Using_Amazon_Corretto) +in the Amazon Corretto FAQ for supported platforms + +The following issues are addressed in 8.392.08.1: + +| Issue Name | Platform | Description | Link | +|---------------------------------------------------|----------|----------------------------------------------------------------------------|----------------------------------------------------------------------------| +| Import jdk8u392-b08 | All | Updates Corretto baseline to OpenJDK 8u392-b08 | [jdk8u392-b08](https://github.com/openjdk/jdk8u/releases/tag/jdk8u392-b08) | +| Backport of JDK-8139348 | All | Deprecate 3DES and RC4 in Kerberos | [JDK-8139348](https://bugs.openjdk.org/browse/JDK-8139348) | + + + +The following CVEs are addressed in 8.392.08.1: + +| CVE | CVSS | Component | +|----------------|------|-----------------------------| +| CVE-2023-22067 | 5.3 | other-libs/corba | +| CVE-2023-22081 | 5.3 | security-libs/javax.net.ssl | + + + ## Corretto version: 8.382.05.1 Release Date: July 18, 2023 diff --git a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java new file mode 100644 index 00000000000..9f44957e862 --- /dev/null +++ b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java @@ -0,0 +1,109 @@ +/* + * Copyright (c) 2023, Azul Systems, Inc. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package com.sun.corba.se.impl.orbutil; + +import java.io.InvalidObjectException; +import java.security.AccessController; +import java.util.*; + +import sun.security.action.GetPropertyAction; + +public final class IORCheckImpl { + + private static final Set stubsToCheck; + + static { + boolean checkLocalStubs = + !getBooleanProperty(ORBConstants.DISABLE_IOR_CHECK_FOR_LOCAL_STUBS, + getBooleanProperty(ORBConstants.ALLOW_DESERIALIZE_OBJECT, false)); + + boolean checkRemoteStubs = + getBooleanProperty(ORBConstants.ENABLE_IOR_CHECK_FOR_REMOTE_STUBS, false); + + stubsToCheck = getStubsToCheck(checkLocalStubs, checkRemoteStubs); + } + + private static Set getStubsToCheck(boolean checkLocalStubs, boolean checkRemoteStubs) { + if (!checkLocalStubs && !checkRemoteStubs) { + return Collections.emptySet(); + } + List stubs = new ArrayList<>(); + if (checkLocalStubs) { + stubs.addAll(getLocalStubs()); + } + if (checkRemoteStubs) { + stubs.addAll(getRemoteStubs()); + } + return Collections.unmodifiableSet(new HashSet<>(stubs)); + } + + private static List getLocalStubs() { + String[] localStubs = { + "org.omg.DynamicAny._DynAnyFactoryStub", + "org.omg.DynamicAny._DynAnyStub", + "org.omg.DynamicAny._DynArrayStub", + "org.omg.DynamicAny._DynEnumStub", + "org.omg.DynamicAny._DynFixedStub", + "org.omg.DynamicAny._DynSequenceStub", + "org.omg.DynamicAny._DynStructStub", + "org.omg.DynamicAny._DynUnionStub", + "org.omg.DynamicAny._DynValueStub" + }; + return Arrays.asList(localStubs); + } + + private static List getRemoteStubs() { + String[] remoteStubs = { + "com.sun.corba.se.spi.activation._ActivatorStub", + "com.sun.corba.se.spi.activation._InitialNameServiceStub", + "com.sun.corba.se.spi.activation._LocatorStub", + "com.sun.corba.se.spi.activation._RepositoryStub", + "com.sun.corba.se.spi.activation._ServerManagerStub", + "com.sun.corba.se.spi.activation._ServerStub", + "org.omg.CosNaming._BindingIteratorStub", + "org.omg.CosNaming._NamingContextExtStub", + "org.omg.CosNaming._NamingContextStub", + "org.omg.PortableServer._ServantActivatorStub", + "org.omg.PortableServer._ServantLocatorStub" + }; + return Arrays.asList(remoteStubs); + } + + /* + * The str parameter is expected to start with "IOR:". + * Otherwise, the method throws the InvalidObjectException exception. + */ + public static void check(String str, String stubClassName) throws InvalidObjectException { + if (stubsToCheck.contains(stubClassName) && !str.startsWith(ORBConstants.STRINGIFY_PREFIX)) { + throw new InvalidObjectException("IOR: expected"); + } + } + + private static boolean getBooleanProperty(String property, boolean defaultValue) { + String value = AccessController.doPrivileged( + new GetPropertyAction(property, String.valueOf(defaultValue))); + return "true".equalsIgnoreCase(value); + } +} diff --git a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java index a621d88aa43..9779e5c9970 100644 --- a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java +++ b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java @@ -317,8 +317,14 @@ public static int makePersistent( int scid ) public static final String DYNAMIC_STUB_FACTORY_FACTORY_CLASS = SUN_PREFIX + "ORBDynamicStubFactoryFactoryClass" ; + // This property is provided for backward compatibility reasons public static final String ALLOW_DESERIALIZE_OBJECT = SUN_PREFIX + "ORBAllowDeserializeObject" ; + // Disables the IOR check for the ORB constrained stubs + public static final String DISABLE_IOR_CHECK_FOR_LOCAL_STUBS = ORG_OMG_PREFIX + "DynamicAny.disableIORCheck" ; + // Enables the IOR check for the Remote CORBA services stubs + public static final String ENABLE_IOR_CHECK_FOR_REMOTE_STUBS = ORG_OMG_CORBA_PREFIX + "IDL.Stubs.enableIORCheck"; + // Constants for NameService properties ************************************ public static final int DEFAULT_INITIAL_PORT = 900; diff --git a/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java b/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java index 89c809672e7..62d42619116 100644 --- a/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java +++ b/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java @@ -101,6 +101,7 @@ protected void openStream () Util.mkdir (pkg); name = pkg + '/' + name; } + stubClassName = name.replace('/', '.'); stream = Util.getStream (name.replace ('/', File.separatorChar) + ".java", i); } // openStream @@ -342,11 +343,7 @@ protected void writeSerializationMethods () stream.println (" private void readObject (java.io.ObjectInputStream s) throws java.io.IOException"); stream.println (" {"); stream.println (" String str = s.readUTF ();"); - if ("DynAnyFactory".equals (i.name ())) { - stream.println (" if (!str.startsWith(com.sun.corba.se.impl.orbutil.ORBConstants.STRINGIFY_PREFIX) &&"); - stream.println (" !Boolean.getBoolean(com.sun.corba.se.impl.orbutil.ORBConstants.ALLOW_DESERIALIZE_OBJECT))"); - stream.println (" throw new java.io.InvalidObjectException(\"IOR: expected\");"); - } + stream.println (" com.sun.corba.se.impl.orbutil.IORCheckImpl.check(str, \"" + stubClassName + "\");"); stream.println (" String[] args = null;"); stream.println (" java.util.Properties props = null;"); stream.println (" org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init (args, props);"); @@ -382,4 +379,5 @@ protected void writeSerializationMethods () protected String classSuffix = ""; protected boolean localStub = false; private boolean isAbstract = false; + private String stubClassName = null; } // class Stub diff --git a/jdk/src/share/classes/com/sun/crypto/provider/DESKey.java b/jdk/src/share/classes/com/sun/crypto/provider/DESKey.java index 90d4b833369..54eafe56c4f 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/DESKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/DESKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; @@ -40,7 +42,7 @@ final class DESKey implements SecretKey { - static final long serialVersionUID = 7724971015953279128L; + private static final long serialVersionUID = 7724971015953279128L; private byte[] key; @@ -99,7 +101,7 @@ public int hashCode() { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= "des".hashCode()); + return(retval ^ "des".hashCode()); } public boolean equals(Object obj) { @@ -120,14 +122,23 @@ public boolean equals(Object obj) { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if ((key == null) || (key.length != DESKeySpec.DES_KEY_LEN)) { + throw new InvalidObjectException("Wrong key size"); + } key = key.clone(); + + DESKeyGenerator.setParityBit(key, 0); + } /** diff --git a/jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java b/jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java index 8f0251d0484..3a6569f28a8 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; @@ -40,7 +42,7 @@ final class DESedeKey implements SecretKey { - static final long serialVersionUID = 2463986565756745178L; + private static final long serialVersionUID = 2463986565756745178L; private byte[] key; @@ -99,7 +101,7 @@ public int hashCode() { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= "desede".hashCode()); + return(retval ^ "desede".hashCode()); } public boolean equals(Object obj) { @@ -121,14 +123,24 @@ public boolean equals(Object obj) { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if ((key == null) || (key.length != DESedeKeySpec.DES_EDE_KEY_LEN)) { + throw new InvalidObjectException("Wrong key size"); + } key = key.clone(); + + DESKeyGenerator.setParityBit(key, 0); + DESKeyGenerator.setParityBit(key, 8); + DESKeyGenerator.setParityBit(key, 16); } /** diff --git a/jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java b/jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java index c87cc1c5d62..e1ea506fdba 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,15 +40,13 @@ * algorithm. * * @author Jan Luehe - * - * * @see DHPublicKey * @see java.security.KeyAgreement */ final class DHPrivateKey implements PrivateKey, javax.crypto.interfaces.DHPrivateKey, Serializable { - static final long serialVersionUID = 7565477590005668886L; + private static final long serialVersionUID = 7565477590005668886L; // only supported version of PKCS#8 PrivateKeyInfo private static final BigInteger PKCS8_VERSION = BigInteger.ZERO; @@ -63,10 +61,10 @@ final class DHPrivateKey implements PrivateKey, private byte[] encodedKey; // the prime modulus - private BigInteger p; + private final BigInteger p; // the base generator - private BigInteger g; + private final BigInteger g; // the private-value length (optional) private int l; @@ -319,4 +317,27 @@ private Object writeReplace() throws java.io.ObjectStreamException { getFormat(), getEncoded()); } + + /** + * Restores the state of this object from the stream. + *

+ * JDK 1.5+ objects use KeyReps instead. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("key not deserializable"); + } + this.key = key.clone(); + if ((encodedKey == null) || (encodedKey.length == 0)) { + throw new InvalidObjectException( + "encoded key not deserializable"); + } + this.encodedKey = encodedKey.clone(); + } } diff --git a/jdk/src/share/classes/com/sun/crypto/provider/DHPublicKey.java b/jdk/src/share/classes/com/sun/crypto/provider/DHPublicKey.java index 7293c945768..4e7d0f03ca0 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/DHPublicKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/DHPublicKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,15 +40,13 @@ * A public key in X.509 format for the Diffie-Hellman key agreement algorithm. * * @author Jan Luehe - * - * * @see DHPrivateKey * @see java.security.KeyAgreement */ final class DHPublicKey implements PublicKey, javax.crypto.interfaces.DHPublicKey, Serializable { - static final long serialVersionUID = 7647557958927458271L; + private static final long serialVersionUID = 7647557958927458271L; // the public key private BigInteger y; @@ -60,10 +58,10 @@ final class DHPublicKey implements PublicKey, private byte[] encodedKey; // the prime modulus - private BigInteger p; + private final BigInteger p; // the base generator - private BigInteger g; + private final BigInteger g; // the private-value length (optional) private int l; @@ -320,4 +318,27 @@ private Object writeReplace() throws java.io.ObjectStreamException { getFormat(), getEncoded()); } + + /** + * Restores the state of this object from the stream. + *

+ * JDK 1.5+ objects use KeyReps instead. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("key not deserializable"); + } + this.key = key.clone(); + if ((encodedKey == null) || (encodedKey.length == 0)) { + throw new InvalidObjectException( + "encoded key not deserializable"); + } + this.encodedKey = encodedKey.clone(); + } } diff --git a/jdk/src/share/classes/com/sun/crypto/provider/PBEKey.java b/jdk/src/share/classes/com/sun/crypto/provider/PBEKey.java index 7fb66e5597f..69c9d00e584 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/PBEKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/PBEKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.security.MessageDigest; import java.security.KeyRep; import java.security.spec.InvalidKeySpecException; @@ -41,11 +43,11 @@ */ final class PBEKey implements SecretKey { - static final long serialVersionUID = -2234768909660948176L; + private static final long serialVersionUID = -2234768909660948176L; private byte[] key; - private String type; + private final String type; /** * Creates a PBE key from a given PBE key specification. @@ -94,7 +96,7 @@ public int hashCode() { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode()); + return(retval ^ getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode()); } public boolean equals(Object obj) { @@ -128,14 +130,32 @@ public void destroy() { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if (key == null) { + throw new InvalidObjectException( + "PBEKey couldn't be deserialized"); + } key = key.clone(); + + // Accept "\0" to signify "zero-length password with no terminator". + if (!(key.length == 1 && key[0] == 0)) { + for (int i = 0; i < key.length; i++) { + if ((key[i] < '\u0020') || (key[i] > '\u007E')) { + throw new InvalidObjectException( + "PBEKey had non-ASCII chars"); + } + } + } + } diff --git a/jdk/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/jdk/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java index 506cc731bea..a039c2e77a0 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java @@ -25,7 +25,7 @@ package com.sun.crypto.provider; -import java.io.ObjectStreamException; +import java.io.*; import java.nio.ByteBuffer; import java.nio.CharBuffer; import java.nio.charset.Charset; @@ -52,14 +52,14 @@ */ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey { - static final long serialVersionUID = -2234868909660948157L; + private static final long serialVersionUID = -2234868909660948157L; private char[] passwd; - private byte[] salt; - private int iterCount; + private final byte[] salt; + private final int iterCount; private byte[] key; - private Mac prf; + private final Mac prf; private static byte[] getPasswordBytes(char[] passwd) { Charset utf8 = Charset.forName("UTF-8"); @@ -131,12 +131,13 @@ private static byte[] deriveKey(final Mac prf, final byte[] password, int intR = keyLength - (intL - 1)*hlen; // residue byte[] ui = new byte[hlen]; byte[] ti = new byte[hlen]; + String algName = prf.getAlgorithm(); // SecretKeySpec cannot be used, since password can be empty here. SecretKey macKey = new SecretKey() { private static final long serialVersionUID = 7874493593505141603L; @Override public String getAlgorithm() { - return prf.getAlgorithm(); + return algName; } @Override public String getFormat() { @@ -149,18 +150,26 @@ public byte[] getEncoded() { @Override public int hashCode() { return Arrays.hashCode(password) * 41 + - prf.getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode(); + algName.toLowerCase(Locale.ENGLISH).hashCode(); } @Override public boolean equals(Object obj) { if (this == obj) return true; if (this.getClass() != obj.getClass()) return false; SecretKey sk = (SecretKey)obj; - return prf.getAlgorithm().equalsIgnoreCase( + return algName.equalsIgnoreCase( sk.getAlgorithm()) && MessageDigest.isEqual(password, sk.getEncoded()); } + // This derived key can't be deserialized. + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "PBKDF2KeyImpl SecretKeys are not " + + "directly deserializable"); + } }; + prf.init(macKey); byte[] ibytes = new byte[4]; @@ -282,4 +291,19 @@ protected void finalize() throws Throwable { super.finalize(); } } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this class is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "PBKDF2KeyImpl keys are not directly deserializable"); + } } diff --git a/jdk/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java b/jdk/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java index 9a6308f3446..ac6cc2ecf88 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.*; import java.security.spec.AlgorithmParameterSpec; @@ -59,11 +62,11 @@ protected void engineInit(SecureRandom random) { protected void engineInit(AlgorithmParameterSpec params, SecureRandom random) throws InvalidAlgorithmParameterException { - if (params instanceof TlsMasterSecretParameterSpec == false) { + if (!(params instanceof TlsMasterSecretParameterSpec)) { throw new InvalidAlgorithmParameterException(MSG); } this.spec = (TlsMasterSecretParameterSpec)params; - if ("RAW".equals(spec.getPremasterSecret().getFormat()) == false) { + if (!"RAW".equals(spec.getPremasterSecret().getFormat())) { throw new InvalidAlgorithmParameterException( "Key format must be RAW"); } @@ -182,6 +185,21 @@ public byte[] getEncoded() { return key.clone(); } - } + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("TlsMasterSecretKey is null"); + } + key = key.clone(); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/LdapPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/LdapPrincipal.java index 6a324eeaccc..7d1380feba9 100644 --- a/jdk/src/share/classes/com/sun/security/auth/LdapPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/LdapPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; @@ -136,4 +139,30 @@ public String toString() { private LdapName getLdapName(String name) throws InvalidNameException { return new LdapName(name); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((name == null) || (nameString == null)) { + throw new InvalidObjectException( + "null name/nameString is illegal"); + } + try { + if (!name.equals(getLdapName(nameString))) { + throw new InvalidObjectException("Inconsistent names"); + } + } catch (InvalidNameException e) { + InvalidObjectException nse = new InvalidObjectException( + "Invalid Name"); + nse.initCause(e); + throw nse; + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java index eb7730cd5ad..c1e8361d656 100644 --- a/jdk/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -131,9 +134,7 @@ public boolean equals(Object o) { return false; NTDomainPrincipal that = (NTDomainPrincipal)o; - if (name.equals(that.getName())) - return true; - return false; + return name.equals(that.getName()); } /** @@ -146,4 +147,24 @@ public boolean equals(Object o) { public int hashCode() { return this.getName().hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/NTSid.java b/jdk/src/share/classes/com/sun/security/auth/NTSid.java index 28b40b9302f..d5e063a7141 100644 --- a/jdk/src/share/classes/com/sun/security/auth/NTSid.java +++ b/jdk/src/share/classes/com/sun/security/auth/NTSid.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -85,7 +88,7 @@ public NTSid (String stringSid) { ("Invalid.NTSid.value", "sun.security.util.AuthResources")); } - sid = new String(stringSid); + sid = stringSid; } /** @@ -140,10 +143,7 @@ public boolean equals(Object o) { return false; NTSid that = (NTSid)o; - if (sid.equals(that.sid)) { - return true; - } - return false; + return sid.equals(that.sid); } /** @@ -156,4 +156,30 @@ public boolean equals(Object o) { public int hashCode() { return sid.hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (sid == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"stringSid"}; + throw new InvalidObjectException(form.format(source)); + } + if (sid.length() == 0) { + throw new InvalidObjectException + (sun.security.util.ResourcesMgr.getString + ("Invalid.NTSid.value", + "sun.security.util.AuthResources")); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/NTUserPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/NTUserPrincipal.java index 91be069aa10..78015fa8609 100644 --- a/jdk/src/share/classes/com/sun/security/auth/NTUserPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/NTUserPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -125,9 +128,7 @@ public boolean equals(Object o) { return false; NTUserPrincipal that = (NTUserPrincipal)o; - if (name.equals(that.getName())) - return true; - return false; + return name.equals(that.getName()); } /** @@ -140,4 +141,25 @@ public boolean equals(Object o) { public int hashCode() { return this.getName().hashCode(); } + + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java index db5775ab329..046d75f23da 100644 --- a/jdk/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -201,10 +204,8 @@ public boolean equals(Object o) { return false; UnixNumericGroupPrincipal that = (UnixNumericGroupPrincipal)o; - if (this.getName().equals(that.getName()) && - this.isPrimaryGroup() == that.isPrimaryGroup()) - return true; - return false; + return this.getName().equals(that.getName()) && + this.isPrimaryGroup() == that.isPrimaryGroup(); } /** @@ -217,4 +218,24 @@ public boolean equals(Object o) { public int hashCode() { return toString().hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java index c6dfd7eaf1b..b8a8633d3cc 100644 --- a/jdk/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -161,9 +164,7 @@ public boolean equals(Object o) { return false; UnixNumericUserPrincipal that = (UnixNumericUserPrincipal)o; - if (this.getName().equals(that.getName())) - return true; - return false; + return this.getName().equals(that.getName()); } /** @@ -176,4 +177,24 @@ public boolean equals(Object o) { public int hashCode() { return name.hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/UnixPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/UnixPrincipal.java index 4aefaf9b7f2..de7af16db05 100644 --- a/jdk/src/share/classes/com/sun/security/auth/UnixPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/UnixPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -126,9 +129,7 @@ public boolean equals(Object o) { return false; UnixPrincipal that = (UnixPrincipal)o; - if (this.getName().equals(that.getName())) - return true; - return false; + return this.getName().equals(that.getName()); } /** @@ -141,4 +142,24 @@ public boolean equals(Object o) { public int hashCode() { return name.hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/UserPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/UserPrincipal.java index f4e7555ab1a..2d39ca5621f 100644 --- a/jdk/src/share/classes/com/sun/security/auth/UserPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/UserPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -110,4 +113,19 @@ public String getName() { public String toString() { return name; } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + throw new InvalidObjectException("null name is illegal"); + } + } } diff --git a/jdk/src/share/classes/java/security/CodeSigner.java b/jdk/src/share/classes/java/security/CodeSigner.java index 37c12b153b3..67240408757 100644 --- a/jdk/src/share/classes/java/security/CodeSigner.java +++ b/jdk/src/share/classes/java/security/CodeSigner.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -156,9 +156,9 @@ public boolean equals(Object obj) { public String toString() { StringBuffer sb = new StringBuffer(); sb.append("("); - sb.append("Signer: " + signerCertPath.getCertificates().get(0)); + sb.append("Signer: ").append(signerCertPath.getCertificates().get(0)); if (timestamp != null) { - sb.append("timestamp: " + timestamp); + sb.append("timestamp: ").append(timestamp); } sb.append(")"); return sb.toString(); @@ -166,8 +166,11 @@ public String toString() { // Explicitly reset hash code value to -1 private void readObject(ObjectInputStream ois) - throws IOException, ClassNotFoundException { - ois.defaultReadObject(); - myhash = -1; + throws IOException, ClassNotFoundException { + ois.defaultReadObject(); + if (signerCertPath == null) { + throw new InvalidObjectException("signerCertPath is null"); + } + myhash = -1; } } diff --git a/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java b/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java index c56a5f1458d..54cc8af3acf 100644 --- a/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java +++ b/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,12 +25,10 @@ package java.security.cert; -import java.util.*; +import java.util.Date; import sun.security.provider.certpath.CertPathHelper; -import sun.security.x509.GeneralNameInterface; - /** * Helper class that allows the Sun CertPath provider to access * implementation dependent APIs in CertPath framework. @@ -55,11 +53,6 @@ synchronized static void initialize() { } } - protected void implSetPathToNames(X509CertSelector sel, - Set names) { - sel.setPathToNamesInternal(names); - } - protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) { sel.setDateAndTime(date, skew); } diff --git a/jdk/src/share/classes/java/security/cert/X509CertSelector.java b/jdk/src/share/classes/java/security/cert/X509CertSelector.java index 905e45401e9..74e4c5c2aca 100644 --- a/jdk/src/share/classes/java/security/cert/X509CertSelector.java +++ b/jdk/src/share/classes/java/security/cert/X509CertSelector.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -90,10 +90,6 @@ public class X509CertSelector implements CertSelector { private final static ObjectIdentifier ANY_EXTENDED_KEY_USAGE = ObjectIdentifier.newInternal(new int[] {2, 5, 29, 37, 0}); - static { - CertPathHelperImpl.initialize(); - } - private BigInteger serialNumber; private X500Principal issuer; private X500Principal subject; @@ -1177,14 +1173,6 @@ public void setPathToNames(Collection> names) throws IOException { } } - // called from CertPathHelper - void setPathToNamesInternal(Set names) { - // set names to non-null dummy value - // this breaks getPathToNames() - pathToNames = Collections.>emptySet(); - pathToGeneralNames = names; - } - /** * Adds a name to the pathToNames criterion. The {@code X509Certificate} * must not include name constraints that would prohibit building a diff --git a/jdk/src/share/classes/javax/crypto/spec/SecretKeySpec.java b/jdk/src/share/classes/javax/crypto/spec/SecretKeySpec.java index c97e4a5348a..b97bc68cca9 100644 --- a/jdk/src/share/classes/javax/crypto/spec/SecretKeySpec.java +++ b/jdk/src/share/classes/javax/crypto/spec/SecretKeySpec.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.crypto.spec; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.MessageDigest; import java.security.spec.KeySpec; import java.util.Locale; @@ -234,4 +237,25 @@ public boolean equals(Object obj) { return MessageDigest.isEqual(this.key, thatKey); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if (key == null || algorithm == null) { + throw new InvalidObjectException("Missing argument"); + } + + this.key = key.clone(); + if (key.length == 0) { + throw new InvalidObjectException("Invalid key length"); + } + } } diff --git a/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java b/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java index 3887f0953de..8f9920b2a01 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,10 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; + /** *

Underlying security services instantiate and pass a * {@code ChoiceCallback} to the {@code handle} @@ -103,15 +107,15 @@ public ChoiceCallback(String prompt, String[] choices, defaultChoice < 0 || defaultChoice >= choices.length) throw new IllegalArgumentException(); + this.prompt = prompt; + this.defaultChoice = defaultChoice; + this.multipleSelectionsAllowed = multipleSelectionsAllowed; + + this.choices = choices.clone(); for (int i = 0; i < choices.length; i++) { if (choices[i] == null || choices[i].length() == 0) throw new IllegalArgumentException(); } - - this.prompt = prompt; - this.choices = choices.clone(); - this.defaultChoice = defaultChoice; - this.multipleSelectionsAllowed = multipleSelectionsAllowed; } /** @@ -206,6 +210,6 @@ public void setSelectedIndexes(int[] selections) { * @see #setSelectedIndexes */ public int[] getSelectedIndexes() { - return selections == null ? null : selections.clone(); + return selections; } } diff --git a/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java b/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java index 005ff6333fe..55121596ace 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.ObjectInputStream; + /** *

Underlying security services instantiate and pass a * {@code ConfirmationCallback} to the {@code handle} @@ -253,16 +256,16 @@ public ConfirmationCallback(int messageType, defaultOption < 0 || defaultOption >= options.length) throw new IllegalArgumentException(); - for (int i = 0; i < options.length; i++) { - if (options[i] == null || options[i].length() == 0) - throw new IllegalArgumentException(); - } - this.prompt = null; this.messageType = messageType; this.optionType = UNSPECIFIED_OPTION; - this.options = options.clone(); this.defaultOption = defaultOption; + + this.options = options.clone(); + for (int i = 0; i < options.length; i++) { + if (options[i] == null || options[i].length() == 0) + throw new IllegalArgumentException(); + } } /** @@ -376,16 +379,16 @@ public ConfirmationCallback(String prompt, int messageType, defaultOption < 0 || defaultOption >= options.length) throw new IllegalArgumentException(); - for (int i = 0; i < options.length; i++) { - if (options[i] == null || options[i].length() == 0) - throw new IllegalArgumentException(); - } - this.prompt = prompt; this.messageType = messageType; this.optionType = UNSPECIFIED_OPTION; - this.options = options.clone(); this.defaultOption = defaultOption; + + this.options = options.clone(); + for (int i = 0; i < options.length; i++) { + if (options[i] == null || options[i].length() == 0) + throw new IllegalArgumentException(); + } } /** @@ -505,4 +508,19 @@ public void setSelectedIndex(int selection) { public int getSelectedIndex() { return selection; } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (options != null) { + options = options.clone(); + } + } } diff --git a/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java b/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java index 0e8fb7bd794..6333804d862 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,12 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; +import java.util.Arrays; +import sun.misc.Cleaner; + /** *

Underlying security services instantiate and pass a * {@code PasswordCallback} to the {@code handle} @@ -40,18 +46,22 @@ public class PasswordCallback implements Callback, java.io.Serializable { * @serial * @since 1.4 */ - private String prompt; + private final String prompt; + /** * @serial * @since 1.4 */ - private boolean echoOn; + private final boolean echoOn; + /** * @serial * @since 1.4 */ private char[] inputPassword; + private transient Cleaner cleaner; + /** * Construct a {@code PasswordCallback} with a prompt * and a boolean specifying whether the password should be displayed @@ -112,7 +122,18 @@ public boolean isEchoOn() { * @see #getPassword */ public void setPassword(char[] password) { + // Cleanup the last buffered password copy. + if (cleaner != null) { + cleaner.clean(); + cleaner = null; + } + + // Set the retrieved password. this.inputPassword = (password == null ? null : password.clone()); + + if (this.inputPassword != null) { + cleaner = Cleaner.create(this, cleanerFor(inputPassword)); + } } /** @@ -134,9 +155,38 @@ public char[] getPassword() { * Clear the retrieved password. */ public void clearPassword() { + // Cleanup the last retrieved password copy. + if (cleaner != null) { + cleaner.clean(); + cleaner = null; + } + } + + private static Runnable cleanerFor(char[] password) { + return () -> { + Arrays.fill(password, ' '); + }; + } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if (prompt == null || prompt.isEmpty()) { + throw new InvalidObjectException("Missing prompt"); + } + if (inputPassword != null) { - for (int i = 0; i < inputPassword.length; i++) - inputPassword[i] = ' '; + inputPassword = inputPassword.clone(); + cleaner = Cleaner.create(this, cleanerFor(inputPassword)); } } + } diff --git a/jdk/src/share/classes/sun/security/ec/ECPrivateKeyImpl.java b/jdk/src/share/classes/sun/security/ec/ECPrivateKeyImpl.java index e423850cc38..3f5bda39b8c 100644 --- a/jdk/src/share/classes/sun/security/ec/ECPrivateKeyImpl.java +++ b/jdk/src/share/classes/sun/security/ec/ECPrivateKeyImpl.java @@ -26,6 +26,8 @@ package sun.security.ec; import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.math.BigInteger; import java.security.*; @@ -43,7 +45,7 @@ /** * Key implementation for EC private keys. - * + *

* ASN.1 syntax for EC private keys from SEC 1 v1.5 (draft): * * 

@@ -213,4 +215,19 @@ protected void parseKeyBits() throws InvalidKeyException {
             throw new InvalidKeyException("Invalid EC private key", e);
         }
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "ECPrivateKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/ec/ECPublicKeyImpl.java b/jdk/src/share/classes/sun/security/ec/ECPublicKeyImpl.java
index f17d52c46b7..6da122fe620 100644
--- a/jdk/src/share/classes/sun/security/ec/ECPublicKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/ec/ECPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,8 @@
 
 import java.io.IOException;
 
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.*;
 import java.security.interfaces.*;
 import java.security.spec.*;
@@ -122,10 +124,25 @@ public String toString() {
             + "\n  parameters: " + params;
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
                         getAlgorithm(),
                         getFormat(),
                         getEncoded());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "ECPublicKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/pkcs11/Token.java b/jdk/src/share/classes/sun/security/pkcs11/Token.java
index 39d301ae7b8..f9db262b0a1 100644
--- a/jdk/src/share/classes/sun/security/pkcs11/Token.java
+++ b/jdk/src/share/classes/sun/security/pkcs11/Token.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -416,11 +416,26 @@ private synchronized byte[] getTokenId() {
 
     private Object writeReplace() throws ObjectStreamException {
         if (isValid() == false) {
-            throw new NotSerializableException("Token has been removed");
+            throw new InvalidObjectException("Token has been removed");
         }
         return new TokenRep(this);
     }
 
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "Tokens are not directly deserializable");
+    }
+
     // serialized representation of a token
     // tokens can only be de-serialized within the same VM invocation
     // and if the token has not been removed in the meantime
@@ -443,7 +458,7 @@ private Object readResolve() throws ObjectStreamException {
                     }
                 }
             }
-            throw new NotSerializableException("Could not find token");
+            throw new InvalidObjectException("Could not find token");
         }
     }
 
diff --git a/jdk/src/share/classes/sun/security/provider/DSAPublicKeyImpl.java b/jdk/src/share/classes/sun/security/provider/DSAPublicKeyImpl.java
index 7ccc1c0239f..a97a901f87f 100644
--- a/jdk/src/share/classes/sun/security/provider/DSAPublicKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/provider/DSAPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,17 +25,20 @@
 
 package sun.security.provider;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 import java.security.KeyRep;
 import java.security.InvalidKeyException;
 
 /**
  * An X.509 public key for the Digital Signature Algorithm.
- *
+ * 

  * The difference between DSAPublicKeyImpl and DSAPublicKey is that
  * DSAPublicKeyImpl calls writeReplace with KeyRep, and DSAPublicKey
  * calls writeObject.
- *
+ * 

  * See the comments in DSAKeyFactory, 4532506, and 6232513.
  *
  */
@@ -70,10 +73,25 @@ public DSAPublicKeyImpl(byte[] encoded) throws InvalidKeyException {
         super(encoded);
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
                         getAlgorithm(),
                         getFormat(),
                         getEncoded());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "DSAPublicKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/provider/PolicyFile.java b/jdk/src/share/classes/sun/security/provider/PolicyFile.java
index 097451da742..a980277883a 100644
--- a/jdk/src/share/classes/sun/security/provider/PolicyFile.java
+++ b/jdk/src/share/classes/sun/security/provider/PolicyFile.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -2214,8 +2214,17 @@ public SelfPermission(String type, String name, String actions,
                 this.actions.equals(that.actions)))
                 return false;
 
-            if (this.certs.length != that.certs.length)
+            if ((this.certs == null) && (that.certs == null)) {
+                return true;
+            }
+
+            if ((this.certs == null) || (that.certs == null)) {
+                return false;
+            }
+
+            if (this.certs.length != that.certs.length) {
                 return false;
+            }
 
             int i,j;
             boolean match;
@@ -2285,7 +2294,7 @@ public String getSelfActions() {
         }
 
         public Certificate[] getCerts() {
-            return certs;
+            return (certs == null ? null : certs.clone());
         }
 
         /**
@@ -2298,6 +2307,21 @@ public Certificate[] getCerts() {
         @Override public String toString() {
             return "(SelfPermission " + type + " " + name + " " + actions + ")";
         }
+
+        /**
+         * Restores the state of this object from the stream.
+         *
+         * @param  stream the {@code ObjectInputStream} from which data is read
+         * @throws IOException if an I/O error occurs
+         * @throws ClassNotFoundException if a serialized class cannot be loaded
+         */
+        private void readObject(ObjectInputStream stream)
+                throws IOException, ClassNotFoundException {
+            stream.defaultReadObject();
+            if (certs != null) {
+                this.certs = certs.clone();
+            }
+        }
     }
 
     /**
diff --git a/jdk/src/share/classes/sun/security/provider/SecureRandom.java b/jdk/src/share/classes/sun/security/provider/SecureRandom.java
index 4f7d7c3aad6..5ffc81b16ff 100644
--- a/jdk/src/share/classes/sun/security/provider/SecureRandom.java
+++ b/jdk/src/share/classes/sun/security/provider/SecureRandom.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package sun.security.provider;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
 import java.security.MessageDigest;
 import java.security.SecureRandomSpi;
 import java.security.NoSuchAlgorithmException;
@@ -186,7 +187,7 @@ private static void updateState(byte[] state, byte[] output) {
     /**
      * This static object will be seeded by SeedGenerator, and used
      * to seed future instances of SHA1PRNG SecureRandoms.
-     *
+     * 

      * Bloch, Effective Java Second Edition: Item 71
      */
     private static class SeederHolder {
@@ -261,17 +262,23 @@ public synchronized void engineNextBytes(byte[] result) {
     }
 
     /*
-     * readObject is called to restore the state of the random object from
-     * a stream.  We have to create a new instance of MessageDigest, because
+     * This method is called to restore the state of the random object from
+     * a stream.
+     * 

+     * We have to create a new instance of {@code MessageDigest}, because
      * it is not included in the stream (it is marked "transient").
-     *
-     * Note that the engineNextBytes() method invoked on the restored random
-     * object will yield the exact same (random) bytes as the original.
+     * 

+     * Note that the {@code engineNextBytes()} method invoked on the restored
+     * random object will yield the exact same (random) bytes as the original.
      * If you do not want this behaviour, you should re-seed the restored
-     * random object, using engineSetSeed().
+     * random object, using {@code engineSetSeed()}.
+     *
+     * @param  s the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
      */
     private void readObject(java.io.ObjectInputStream s)
-        throws IOException, ClassNotFoundException {
+            throws IOException, ClassNotFoundException {
 
         s.defaultReadObject ();
 
@@ -290,5 +297,34 @@ private void readObject(java.io.ObjectInputStream s)
                     "internal error: SHA-1 not available.", exc);
             }
         }
+
+        // Various consistency checks
+        if ((remainder == null) && (remCount > 0)) {
+            throw new InvalidObjectException(
+                    "Remainder indicated, but no data available");
+        }
+
+        // Not yet allocated state
+        if (state == null) {
+            if (remainder == null) {
+                return;
+            } else {
+                throw new InvalidObjectException(
+                        "Inconsistent buffer allocations");
+            }
+        }
+
+        // Sanity check on sizes/pointer
+        if ((state.length != DIGEST_SIZE) ||
+                ((remainder != null) && (remainder.length != DIGEST_SIZE)) ||
+                (remCount < 0 ) || (remCount >= DIGEST_SIZE)) {
+            throw new InvalidObjectException(
+                    "Inconsistent buffer sizes/state");
+        }
+
+        state = state.clone();
+        if (remainder != null) {
+            remainder = remainder.clone();
+        }
     }
 }
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java
index 7c02007422d..ebc2200f0e6 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,14 +26,10 @@
 package sun.security.provider.certpath;
 
 import java.util.Date;
-import java.util.Set;
 
 import java.security.cert.TrustAnchor;
-import java.security.cert.X509CertSelector;
 import java.security.cert.X509CRLSelector;
 
-import sun.security.x509.GeneralNameInterface;
-
 /**
  * Helper class that allows access to JDK specific known-public methods in the
  * java.security.cert package. It relies on a subclass in the
@@ -55,18 +51,10 @@ protected CertPathHelper() {
         // empty
     }
 
-    protected abstract void implSetPathToNames(X509CertSelector sel,
-            Set names);
-
     protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew);
 
     protected abstract boolean implIsJdkCA(TrustAnchor anchor);
 
-    static void setPathToNames(X509CertSelector sel,
-            Set names) {
-        instance.implSetPathToNames(sel, names);
-    }
-
     public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
         instance.implSetDateAndTime(sel, date, skew);
     }
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
index 2afb2f9a85f..00351647349 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
@@ -48,7 +48,6 @@
 import sun.security.x509.AuthorityInfoAccessExtension;
 import sun.security.x509.AuthorityKeyIdentifierExtension;
 import static sun.security.x509.PKIXExtensions.*;
-import sun.security.x509.SubjectAlternativeNameExtension;
 import sun.security.x509.X500Name;
 import sun.security.x509.X509CertImpl;
 
@@ -258,14 +257,6 @@ private void getMatchingCACerts(ForwardState currentState,
              */
             caSelector.setSubject(currentState.issuerDN);
 
-            /*
-             * Match on subjectNamesTraversed (both DNs and AltNames)
-             * (checks that current cert's name constraints permit it
-             * to certify all the DNs and AltNames that have been traversed)
-             */
-            CertPathHelper.setPathToNames
-                (caSelector, currentState.subjectNamesTraversed);
-
             /*
              * check the validity period
              */
@@ -704,19 +695,6 @@ void verifyCert(X509Certificate cert, State currentState,
         // Don't bother to verify untrusted certificate more.
         currState.untrustedChecker.check(cert, Collections.emptySet());
 
-        /*
-         * Abort if we encounter the same certificate or a certificate with
-         * the same public key, subject DN, and subjectAltNames as a cert
-         * that is already in path.
-         */
-        for (X509Certificate cpListCert : certPathList) {
-            if (repeated(cpListCert, cert)) {
-                throw new CertPathValidatorException(
-                    "cert with repeated subject, public key, and " +
-                    "subjectAltNames detected");
-            }
-        }
-
         /* check if trusted cert */
         boolean isTrustedCert = trustedCerts.contains(cert);
 
@@ -794,49 +772,6 @@ void verifyCert(X509Certificate cert, State currentState,
         }
     }
 
-    /**
-     * Return true if two certificates are equal or have the same subject,
-     * public key, and subject alternative names.
-     */
-    private static boolean repeated(
-            X509Certificate currCert, X509Certificate nextCert) {
-        if (currCert.equals(nextCert)) {
-            return true;
-        }
-        return (currCert.getSubjectX500Principal().equals(
-            nextCert.getSubjectX500Principal()) &&
-            currCert.getPublicKey().equals(nextCert.getPublicKey()) &&
-            altNamesEqual(currCert, nextCert));
-    }
-
-    /**
-     * Return true if two certificates have the same subject alternative names.
-     */
-    private static boolean altNamesEqual(
-            X509Certificate currCert, X509Certificate nextCert) {
-        X509CertImpl curr, next;
-        try {
-            curr = X509CertImpl.toImpl(currCert);
-            next = X509CertImpl.toImpl(nextCert);
-        } catch (CertificateException ce) {
-            return false;
-        }
-
-        SubjectAlternativeNameExtension currAltNameExt =
-            curr.getSubjectAlternativeNameExtension();
-        SubjectAlternativeNameExtension nextAltNameExt =
-            next.getSubjectAlternativeNameExtension();
-        if (currAltNameExt != null) {
-            if (nextAltNameExt == null) {
-                return false;
-            }
-            return Arrays.equals(currAltNameExt.getExtensionValue(),
-                nextAltNameExt.getExtensionValue());
-        } else {
-            return (nextAltNameExt == null);
-        }
-    }
-
     /**
      * Verifies whether the input certificate completes the path.
      * First checks the cert against each trust anchor that was specified,
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java b/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java
index 9d7af9b169b..9a5088babf2 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java
@@ -31,17 +31,11 @@
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.HashSet;
 import java.util.List;
 import java.util.ListIterator;
 import javax.security.auth.x500.X500Principal;
 
 import sun.security.util.Debug;
-import sun.security.x509.SubjectAlternativeNameExtension;
-import sun.security.x509.GeneralNames;
-import sun.security.x509.GeneralName;
-import sun.security.x509.GeneralNameInterface;
-import sun.security.x509.X500Name;
 import sun.security.x509.X509CertImpl;
 
 /**
@@ -61,9 +55,6 @@ class ForwardState implements State {
     /* The last cert in the path */
     X509CertImpl cert;
 
-    /* The set of subjectDNs and subjectAltNames of all certs in the path */
-    HashSet subjectNamesTraversed;
-
     /*
      * The number of intermediate CA certs which have been traversed so
      * far in the path
@@ -73,7 +64,6 @@ class ForwardState implements State {
     /* Flag indicating if state is initial (path is just starting) */
     private boolean init = true;
 
-
     /* the untrusted certificates checker */
     UntrustedChecker untrustedChecker;
 
@@ -104,8 +94,6 @@ public String toString() {
         sb.append("\n  issuerDN of last cert: ").append(issuerDN);
         sb.append("\n  traversedCACerts: ").append(traversedCACerts);
         sb.append("\n  init: ").append(String.valueOf(init));
-        sb.append("\n  subjectNamesTraversed: \n").append
-                 (subjectNamesTraversed);
         sb.append("\n  selfIssued: ").append
                  (String.valueOf(selfIssued));
         sb.append("]\n");
@@ -120,7 +108,6 @@ public String toString() {
     public void initState(List certPathCheckers)
         throws CertPathValidatorException
     {
-        subjectNamesTraversed = new HashSet();
         traversedCACerts = 0;
 
         /*
@@ -170,32 +157,6 @@ public void updateState(X509Certificate cert)
             }
         }
 
-        /* update subjectNamesTraversed only if this is the EE cert or if
-           this cert is not self-issued */
-        if (init || !selfIssued) {
-            X500Principal subjName = cert.getSubjectX500Principal();
-            subjectNamesTraversed.add(X500Name.asX500Name(subjName));
-
-            try {
-                SubjectAlternativeNameExtension subjAltNameExt
-                    = icert.getSubjectAlternativeNameExtension();
-                if (subjAltNameExt != null) {
-                    GeneralNames gNames = subjAltNameExt.get(
-                            SubjectAlternativeNameExtension.SUBJECT_NAME);
-                    for (GeneralName gName : gNames.names()) {
-                        subjectNamesTraversed.add(gName.getName());
-                    }
-                }
-            } catch (IOException e) {
-                if (debug != null) {
-                    debug.println("ForwardState.updateState() unexpected "
-                        + "exception");
-                    e.printStackTrace();
-                }
-                throw new CertPathValidatorException(e);
-            }
-        }
-
         init = false;
     }
 
@@ -203,10 +164,6 @@ public void updateState(X509Certificate cert)
      * Clone current state. The state is cloned as each cert is
      * added to the path. This is necessary if backtracking occurs,
      * and a prior state needs to be restored.
-     *
-     * Note that this is a SMART clone. Not all fields are fully copied,
-     * because some of them will
-     * not have their contents modified by subsequent calls to updateState.
      */
     @Override
     @SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly
@@ -226,13 +183,6 @@ public Object clone() {
                 }
             }
 
-            /*
-             * Shallow copy traversed names. There is no need to
-             * deep copy contents, since the elements of the Set
-             * are never modified by subsequent calls to updateState().
-             */
-            clonedState.subjectNamesTraversed
-                = (HashSet)subjectNamesTraversed.clone();
             return clonedState;
         } catch (CloneNotSupportedException e) {
             throw new InternalError(e.toString(), e);
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
index fd4eb9543e9..fd5a01a923d 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
@@ -33,6 +33,7 @@
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.PKIXReason;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
@@ -42,6 +43,7 @@
 
 import sun.security.provider.certpath.PKIX.BuilderParams;
 import static sun.security.x509.PKIXExtensions.*;
+import sun.security.x509.SubjectAlternativeNameExtension;
 import sun.security.x509.X509CertImpl;
 import sun.security.util.Debug;
 
@@ -265,7 +267,7 @@ private void depthFirstSearchForward(X500Principal dN,
          */
         Collection certs =
             builder.getMatchingCerts(currentState, buildParams.certStores());
-        List vertices = addVertices(certs, adjList);
+        List vertices = addVertices(certs, adjList, cpList);
         if (debug != null) {
             debug.println("SunCertPathBuilder.depthFirstSearchForward(): "
                           + "certs.size=" + vertices.size());
@@ -325,17 +327,32 @@ private void depthFirstSearchForward(X500Principal dN,
                  * cert (which is signed by the trusted public key), but
                  * don't add it yet to the cpList
                  */
+                PublicKey rootKey = cert.getPublicKey();
                 if (builder.trustAnchor.getTrustedCert() == null) {
                     appendedCerts.add(0, cert);
+                    rootKey = builder.trustAnchor.getCAPublicKey();
+                    if (debug != null)
+                        debug.println(
+                            "SunCertPathBuilder.depthFirstSearchForward " +
+                            "using buildParams public key: " +
+                            rootKey.toString());
                 }
+                TrustAnchor anchor = new TrustAnchor
+                    (cert.getSubjectX500Principal(), rootKey, null);
 
+                // add the basic checker
+                List checkers = new ArrayList<>();
+                BasicChecker basicChecker = new BasicChecker(anchor,
+                                                    buildParams.date(),
+                                                    buildParams.sigProvider(),
+                                                    true);
+                checkers.add(basicChecker);
                 Set initExpPolSet =
                     Collections.singleton(PolicyChecker.ANY_POLICY);
 
                 PolicyNodeImpl rootNode = new PolicyNodeImpl(null,
                     PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false);
 
-                List checkers = new ArrayList<>();
                 PolicyChecker policyChecker
                     = new PolicyChecker(buildParams.initialPolicies(),
                                         appendedCerts.size(),
@@ -346,28 +363,13 @@ private void depthFirstSearchForward(X500Principal dN,
                                         rootNode);
                 checkers.add(policyChecker);
 
+                // add the constraints checker
+                checkers.add(new ConstraintsChecker(appendedCerts.size()));
+
                 // add the algorithm checker
                 checkers.add(new AlgorithmChecker(builder.trustAnchor,
                         buildParams.timestamp(), buildParams.variant()));
 
-                PublicKey rootKey = cert.getPublicKey();
-                if (builder.trustAnchor.getTrustedCert() == null) {
-                    rootKey = builder.trustAnchor.getCAPublicKey();
-                    if (debug != null)
-                        debug.println(
-                            "SunCertPathBuilder.depthFirstSearchForward " +
-                            "using buildParams public key: " +
-                            rootKey.toString());
-                }
-                TrustAnchor anchor = new TrustAnchor
-                    (cert.getSubjectX500Principal(), rootKey, null);
-
-                // add the basic checker
-                BasicChecker basicChecker = new BasicChecker(anchor,
-                                                    buildParams.date(),
-                                                    buildParams.sigProvider(),
-                                                    true);
-                checkers.add(basicChecker);
 
                 buildParams.setCertPath(cf.generateCertPath(appendedCerts));
 
@@ -563,18 +565,79 @@ private void depthFirstSearchForward(X500Principal dN,
      * adjacency list.
      */
     private static List addVertices(Collection certs,
-                                            List> adjList)
+                                            List> adjList,
+                                            List cpList)
     {
         List l = adjList.get(adjList.size() - 1);
 
         for (X509Certificate cert : certs) {
-            Vertex v = new Vertex(cert);
-            l.add(v);
+            boolean repeated = false;
+            for (X509Certificate cpListCert : cpList) {
+                /*
+                 * Ignore if we encounter the same certificate or a
+                 * certificate with the same public key, subject DN, and
+                 * subjectAltNames as a cert that is already in path.
+                 */
+                if (repeated(cpListCert, cert)) {
+                    if (debug != null) {
+                        debug.println("cert with repeated subject, " +
+                            "public key, and subjectAltNames detected");
+                    }
+                    repeated = true;
+                    break;
+                }
+            }
+            if (!repeated) {
+                l.add(new Vertex(cert));
+            }
         }
 
         return l;
     }
 
+    /**
+     * Return true if two certificates are equal or have the same subject,
+     * public key, and subject alternative names.
+     */
+    private static boolean repeated(
+            X509Certificate currCert, X509Certificate nextCert) {
+        if (currCert.equals(nextCert)) {
+            return true;
+        }
+        return (currCert.getSubjectX500Principal().equals(
+            nextCert.getSubjectX500Principal()) &&
+            currCert.getPublicKey().equals(nextCert.getPublicKey()) &&
+            altNamesEqual(currCert, nextCert));
+    }
+
+    /**
+     * Return true if two certificates have the same subject alternative names.
+     */
+    private static boolean altNamesEqual(
+            X509Certificate currCert, X509Certificate nextCert) {
+        X509CertImpl curr, next;
+        try {
+            curr = X509CertImpl.toImpl(currCert);
+            next = X509CertImpl.toImpl(nextCert);
+        } catch (CertificateException ce) {
+            return false;
+        }
+
+        SubjectAlternativeNameExtension currAltNameExt =
+            curr.getSubjectAlternativeNameExtension();
+        SubjectAlternativeNameExtension nextAltNameExt =
+            next.getSubjectAlternativeNameExtension();
+        if (currAltNameExt != null) {
+            if (nextAltNameExt == null) {
+                return false;
+            }
+            return Arrays.equals(currAltNameExt.getExtensionValue(),
+                nextAltNameExt.getExtensionValue());
+        } else {
+            return (nextAltNameExt == null);
+        }
+    }
+
     /**
      * Returns true if trust anchor certificate matches specified
      * certificate constraints.
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/X509CertPath.java b/jdk/src/share/classes/sun/security/provider/certpath/X509CertPath.java
index f738b5f5fe0..79cde0d72fd 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/X509CertPath.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/X509CertPath.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,10 +25,7 @@
 
 package sun.security.provider.certpath;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
+import java.io.*;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -394,4 +391,19 @@ public Iterator getEncodings() {
     public List getCertificates() {
         return certs;
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "X509CertPaths are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
index b3c1fae9672..4cb407e2508 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
 package sun.security.rsa;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 
 import java.security.*;
@@ -43,7 +45,7 @@
  * RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in CRT form.
  * For non-CRT private keys, see RSAPrivateKeyImpl. We need separate classes
  * to ensure correct behavior in instanceof checks, etc.
- *
+ * 

  * Note: RSA keys must be at least 512 bits long
  *
  * @see RSAPrivateKeyImpl
@@ -291,4 +293,19 @@ protected void parseKeyBits() throws InvalidKeyException {
             throw new InvalidKeyException("Invalid RSA private key", e);
         }
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "RSAPrivateCrtKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
index df5abc1bfd0..b443caf91fd 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
 package sun.security.rsa;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 
 import java.security.*;
@@ -38,10 +40,11 @@
 
 /**
  * RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in non-CRT
- * form (modulus, private exponent only). For CRT private keys, see
- * RSAPrivateCrtKeyImpl. We need separate classes to ensure correct behavior
- * in instanceof checks, etc.
- *
+ * form (modulus, private exponent only).
+ * 

+ * For CRT private keys, see RSAPrivateCrtKeyImpl. We need separate classes
+ * to ensure correct behavior in instanceof checks, etc.
+ * 

  * Note: RSA keys must be at least 512 bits long
  *
  * @see RSAPrivateCrtKeyImpl
@@ -127,4 +130,19 @@ public String toString() {
                + " bits" + "\n  params: " + keyParams + "\n  modulus: " + n
                + "\n  private exponent: " + d;
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "RSAPrivateKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
index ebd035e06a8..279fc19edec 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
 package sun.security.rsa;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 
 import java.security.*;
@@ -40,7 +42,7 @@
 
 /**
  * RSA public key implementation for "RSA", "RSASSA-PSS" algorithms.
- *
+ * 

  * Note: RSA keys must be at least 512 bits long
  *
  * @see RSAPrivateCrtKeyImpl
@@ -198,10 +200,25 @@ public String toString() {
                + "\n  public exponent: " + e;
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
                         getAlgorithm(),
                         getFormat(),
                         getEncoded());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "RSAPublicKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/x509/X509CertImpl.java b/jdk/src/share/classes/sun/security/x509/X509CertImpl.java
index 012bb8cf823..818ae1e2619 100644
--- a/jdk/src/share/classes/sun/security/x509/X509CertImpl.java
+++ b/jdk/src/share/classes/sun/security/x509/X509CertImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,13 +25,7 @@
 
 package sun.security.x509;
 
-import java.io.BufferedReader;
-import java.io.BufferedInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
+import java.io.*;
 import java.math.BigInteger;
 import java.security.*;
 import java.security.spec.AlgorithmParameterSpec;
@@ -679,7 +673,7 @@ public void checkValidity(Date date)
 
     /**
      * Return the requested attribute from the certificate.
-     *
+     * 

      * Note that the X509CertInfo is not cloned for performance reasons.
      * Callers must ensure that they do not modify it. All other
      * attributes are cloned.
@@ -1597,7 +1591,7 @@ private static Collection> makeAltNames(GeneralNames names) {
         for (GeneralName gname : names.names()) {
             GeneralNameInterface name = gname.getName();
             List nameEntry = new ArrayList<>(2);
-            nameEntry.add(Integer.valueOf(name.getType()));
+            nameEntry.add(name.getType());
             switch (name.getType()) {
             case GeneralNameInterface.NAME_RFC822:
                 nameEntry.add(((RFC822Name) name).getName());
@@ -2019,4 +2013,19 @@ private static void byte2hex(byte b, StringBuffer buf) {
         buf.append(hexChars[high]);
         buf.append(hexChars[low]);
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "X509CertImpls are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/text/bidi/BidiBase.java b/jdk/src/share/classes/sun/text/bidi/BidiBase.java
index f13155d06d5..6485bea94e6 100644
--- a/jdk/src/share/classes/sun/text/bidi/BidiBase.java
+++ b/jdk/src/share/classes/sun/text/bidi/BidiBase.java
@@ -3391,7 +3391,7 @@ public static void reorderVisually(byte[] levels,
                       levelStart + " is out of range 0 to " +
                       (objects.length-1));
         }
-        if (0 > count || objects.length < (objectStart+count)) {
+        if (0 > count || objects.length - count < objectStart) {
             throw new IllegalArgumentException("Value count " +
                       levelStart + " is out of range 0 to " +
                       (objects.length - objectStart));
diff --git a/jdk/src/windows/classes/sun/security/mscapi/CPrivateKey.java b/jdk/src/windows/classes/sun/security/mscapi/CPrivateKey.java
index 60fb4fb6723..cea2f93ed5f 100644
--- a/jdk/src/windows/classes/sun/security/mscapi/CPrivateKey.java
+++ b/jdk/src/windows/classes/sun/security/mscapi/CPrivateKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.mscapi;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.PrivateKey;
 
 /**
@@ -74,6 +77,22 @@ public String toString() {
     // This class is not serializable
     private void writeObject(java.io.ObjectOutputStream out)
             throws java.io.IOException {
-        throw new java.io.NotSerializableException();
+        throw new java.io.InvalidObjectException(
+                "CPrivateKeys are not serializable");
+    }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "CPrivateKeys are not deserializable");
     }
 }
diff --git a/jdk/src/windows/classes/sun/security/mscapi/CPublicKey.java b/jdk/src/windows/classes/sun/security/mscapi/CPublicKey.java
index 8a81c5dc327..93c11c8d561 100644
--- a/jdk/src/windows/classes/sun/security/mscapi/CPublicKey.java
+++ b/jdk/src/windows/classes/sun/security/mscapi/CPublicKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.mscapi;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 import java.security.AlgorithmParameters;
 import java.security.KeyException;
@@ -108,7 +111,7 @@ public ECParameterSpec getParams() {
 
         public String toString() {
             StringBuffer sb = new StringBuffer();
-            sb.append(algorithm + "PublicKey [size=").append(keyLength)
+            sb.append(algorithm).append("PublicKey [size=").append(keyLength)
                     .append("]\n  ECPoint: ").append(getW())
                     .append("\n  params: ").append(getParams());
             return sb.toString();
@@ -127,7 +130,7 @@ public static class CRSAPublicKey extends CPublicKey implements RSAPublicKey {
 
         public String toString() {
             StringBuffer sb = new StringBuffer();
-            sb.append(algorithm + "PublicKey [size=").append(keyLength)
+            sb.append(algorithm).append("PublicKey [size=").append(keyLength)
                     .append(" bits, type=");
             if (handles.hCryptKey != 0) {
                 sb.append(getKeyType(handles.hCryptKey))
@@ -221,6 +224,21 @@ protected Object writeReplace() throws java.io.ObjectStreamException {
                         getEncoded());
     }
 
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "CPublicKeys are not deserializable");
+    }
+
     // Returns the CAPI or CNG representation of the key.
     native byte[] getPublicKeyBlob(long hCryptProv, long hCryptKey)
             throws KeyException;
diff --git a/jdk/test/ProblemList.txt b/jdk/test/ProblemList.txt
index 48c100b0c3e..48e818ec232 100644
--- a/jdk/test/ProblemList.txt
+++ b/jdk/test/ProblemList.txt
@@ -324,6 +324,8 @@ security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
 
 sun/security/mscapi/SignedObjectChain.java                      8176183 windows-all
 
+javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java 8285785,8286045,8287596 generic-all
+
 ############################################################################
 
 # jdk_sound
diff --git a/jdk/test/java/security/KeyRep/RSA.pre.1.5.key b/jdk/test/java/security/KeyRep/RSA.pre.1.5.key
deleted file mode 100644
index 0c15a06c9cd..00000000000
Binary files a/jdk/test/java/security/KeyRep/RSA.pre.1.5.key and /dev/null differ
diff --git a/jdk/test/java/security/KeyRep/SerialOld.java b/jdk/test/java/security/KeyRep/SerialOld.java
index 3732609872a..a3792e1e8c4 100644
--- a/jdk/test/java/security/KeyRep/SerialOld.java
+++ b/jdk/test/java/security/KeyRep/SerialOld.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,14 +23,13 @@
 
 /*
  * @test 1.1, 03/08/13
- * @bug 4532506
+ * @bug 4532506 8301126
  * @summary Serializing KeyPair on one VM (Sun),
  *      and Deserializing on another (IBM) fails
  * @run main/othervm/policy=SerialOld.policy SerialOld
  */
 
 import java.io.*;
-import java.security.*;
 
 public class SerialOld {
     public static void main(String[] args) throws Exception {
@@ -40,10 +39,15 @@ public static void main(String[] args) throws Exception {
         deserializeTigerKey("DSA");
         deserializeTigerKey("RSA");
 
-        // verify pre-tiger keys still deserialize in our VM
+        // verify pre-tiger keys still deserialize in our VM.
+
+        // There used to be a RSA test here, but the serialized file contained
+        // classes introduced in JDK 5.0 (sun.security.rsa.RSA*).  The older
+        // RSA keys from JDK 1.4.2 were of class JSA_* which were removed when
+        // sun.security.rsa was introduced.  (See JDK-8301126 for more
+        // details.)  The test/data has been removed.
 
         deserializeKey("DSA");
-        deserializeKey("RSA");
         deserializeKey("DH");
         deserializeKey("AES");
         deserializeKey("Blowfish");
diff --git a/jdk/test/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java b/jdk/test/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java
new file mode 100644
index 00000000000..cc995893f65
--- /dev/null
+++ b/jdk/test/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8284910
+ * @summary Check that the cleaner is not bound to the PasswordCallback object
+ */
+
+import javax.security.auth.callback.PasswordCallback;
+import java.util.WeakHashMap;
+
+public final class CheckCleanerBound {
+    private final static WeakHashMap weakHashMap =
+            new WeakHashMap<>();
+
+    public static void main(String[] args) throws Exception {
+        // Create an object
+        PasswordCallback passwordCallback =
+                new PasswordCallback("Password: ", false);
+        passwordCallback.setPassword("ThisIsAPassword".toCharArray());
+
+        weakHashMap.put(passwordCallback, null);
+        passwordCallback = null;
+
+        // Check if the PasswordCallback object could be collected.
+        // Wait to trigger the cleanup.
+        for (int i = 0; i < 10 && weakHashMap.size() != 0; i++) {
+            System.gc();
+        }
+
+        // Check if the object has been collected.  The collection will not
+        // happen if the cleaner implementation in PasswordCallback is bound
+        // to the PasswordCallback object.
+        if (weakHashMap.size() > 0) {
+            throw new RuntimeException(
+                "PasswordCallback object is not released");
+        }
+    }
+}
+
diff --git a/jdk/test/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java b/jdk/test/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java
new file mode 100644
index 00000000000..ea8b1d1c145
--- /dev/null
+++ b/jdk/test/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8284910
+ * @summary Check that PasswordCallback.clearPassword() clears the password
+ */
+
+import javax.security.auth.callback.PasswordCallback;
+import java.util.Arrays;
+
+public final class PasswordCleanup {
+    public static void main(String[] args) throws Exception {
+        // Create an object
+        PasswordCallback passwordCallback =
+                new PasswordCallback("Password: ", false);
+        passwordCallback.setPassword("ThisIsAPassword".toCharArray());
+        char[] originPassword = passwordCallback.getPassword();
+
+        // Use password clear method.
+        passwordCallback.clearPassword();
+
+        // Check that the password is cleared.
+        char[] clearedPassword = passwordCallback.getPassword();
+        if (Arrays.equals(originPassword, clearedPassword)) {
+            throw new RuntimeException(
+                "PasswordCallback.clearPassword() does not clear passwords");
+        }
+    }
+}
+
diff --git a/version.txt b/version.txt
index 79c1345bf58..167fe28d107 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-8.392.01.1
+8.392.08.1