-
CSR
-
Resolution: Approved
-
P4
-
None
-
behavioral
-
minimal
-
Should be none/minimal, since both APIs use an alternate form of serialization, effectively ignoring the fields. However, I marked the Compatibility Kind to be behavioral since I did not know if it could be left blank.
-
File or wire format
-
SE
Summary
The non-serializable fields of java.security.cert.Certificate and java.security.cert.CertPath should be marked transient. The writeReplace methods should also more clearly specify what object is returned.
Problem
The Certificate and CertPath classes use an alternate form of serialization by overriding the writeReplace method. However, the non-serializable fields of these classes were never marked transient, and are incorrectly documented in the Serialized Form section of the javadocs.
Solution
Mark the applicable fields with the transient modifier. More clearly specify what is returned in the writeReplace methods.
Specification
diff --git a/src/java.base/share/classes/java/security/cert/CertPath.java b/src/java.base/share/classes/java/security/cert/CertPath.java
index 28000591c00..15f49ac3381 100644
--- a/src/java.base/share/classes/java/security/cert/CertPath.java
+++ b/src/java.base/share/classes/java/security/cert/CertPath.java
@@ -123,7 +123,7 @@ public abstract class CertPath implements Serializable {
private static final long serialVersionUID = 6068470306649138683L;
/** The type of certificates in this chain. */
- private String type;
+ private final transient String type;
<snip>
/**
* Replaces the {@code CertPath} to be serialized with a
- * {@code CertPathRep} object.
+ * {@link CertPathRep CertPathRep} object containing the
+ * {@code Certificate} type and encoded bytes of the {@code CertPath}.
*
- * @return the {@code CertPathRep} to be serialized
+ * @return a {@code CertPathRep} containing the {@code Certificate} type
+ * and encoded bytes of the {@code CertPath}
*
* @throws ObjectStreamException if a {@code CertPathRep} object
* representing this certification path could not be created
*/
@java.io.Serial
protected Object writeReplace() throws ObjectStreamException {diff --git a/src/java.base/share/classes/java/security/cert/Certificate.java b/src/java.base/share/classes/java/security/cert/Certificate.java
index a34f0316a8c..4a020ddf1cb 100644
--- a/src/java.base/share/classes/java/security/cert/Certificate.java
+++ b/src/java.base/share/classes/java/security/cert/Certificate.java
@@ -66,10 +66,10 @@ public abstract class Certificate implements java.io.Serializable {
private static final long serialVersionUID = -3585440601605666277L;
/** The certificate type. */
- private final String type;
+ private final transient String type;
/** The hash code for the certificate. */
- private int hash = -1; // Default to -1
+ private transient int hash = -1; // Default to -1
<snip>
/**
- * Replace the Certificate to be serialized.
+ * Replace the {@code Certificate} to be serialized with a
+ * {@link CertificateRep CertificateRep} object containing the type and
+ * encoded bytes of the {@code Certificate}.
*
- * @return the alternate Certificate object to be serialized
+ * @return a {@code CertificateRep} object containing the type and encoded
+ * bytes of the {@code Certificate}
*
- * @throws java.io.ObjectStreamException if a new object representing
- * this Certificate could not be created
+ * @throws java.io.ObjectStreamException if a {@code CertificateRep} object
+ * representing this {@code Certificate} could not be created
* @since 1.3
*/
@java.io.Serial
protected Object writeReplace() throws java.io.ObjectStreamException {- csr of
-
JDK-4337793 Mark non-serializable fields of java.security.cert.Certificate and CertPath
-
- Resolved
-