JDK-4337793 : Mark non-serializable fields of java.security.cert.Certificate and CertPath
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2000-05-12
  • Updated: 2021-11-25
  • Resolved: 2021-11-18
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 18
18 b25Fixed
Related Reports
CSR :  
JDK-8277128 - Mark non-serializable fields of java.security.cert.Certificate and CertPath
Relates :  
JDK-8231641 - Suppress warnings on non-serializable non-transient instance fields in JDK libraries (umbrella)
Relates :  
JDK-8263105 - security-libs doclint cleanup
Description

Name: ooR10001			Date: 05/12/2000


java.security.cert.Certificate spec says that this class implements
java.io.Serializable. However, this class has a writeReplace() method. 
Moreover, writeReplace() is used to create an object which is actually 
written to the stream and this object is different from 
java.security.cert.Certificate.

This is a feature of Replaceable interface and in this case the
class must implement Replaceable.

The serialized form doc says:
-------------
Class java.security.cert.Certificate implements Serializable

Serialized Fields

type
String type
-------------

This serialized form structure is not correct because in fact 
java.security.cert.Certificate.CertificateRep is written to the 
stream due to the writeReplace() method, so it should specify
fields of java.security.cert.Certificate.CertificateRep.

The serialized form doc should also specify the writeReplace()
method for java.security.cert.Certificate.

The serialized form doc needs to be fixed and the java.security.cert.Certificate
should implement Replaceable interface.

======================================================================
Comments
Changeset: a44b45fd Author: Sean Mullan <mullan@openjdk.org> Date: 2021-11-18 13:48:12 +0000 URL: https://git.openjdk.java.net/jdk/commit/a44b45fdf31275a2c1e9d1d0132874a7de45f8ee
18-11-2021
The serial fields were documented as part of JDK-8263105, so all that remains for this issue is to mark the non-serializable fields of Certificate and CertPath with the transient modifier.
15-11-2021
The fields of java.security.cert.Certificate (and CertPath) should also be transient, since they are never serialized. This will clear up the docs confusion noted in the Description as to why the fields of Certificate end up being documented in the Serialized Form. This probably requires a CSR, since serial fields are part of the specification.
15-11-2021
Yes, as CSR is needed as the nominal spec is changing, even if the spec is being brought in line with the implementation.
19-11-2019
It seems that all that is needed is to add some javadoc around the @serial fields of Certificate and Certificate.Rep. I changed the Synopsis to reflect that.
04-05-2018
EVALUATION The Replaceable interface existed during JDK1.2 development but was removed before FCS. I believe the only issue here is how the serialized form should be documented for a Serializable class which uses writeReplace() to nominate an alternate serializable object. The Certificate class is currently missing all of the @serial javadoc comments. I will find out more from the doc & libraries team about how classes which serialize with writeReplace() should be documented. jeff.nisewanger@Eng 2000-05-15
15-05-2000