4337793: Mark non-serializable fields of java.security.cert.Certificate and CertPath

[seanjmullan]

Please review this 20+ year old bug (!), which marks the non-serializable fields of Certificate and CertPath with the transient modifier. These classes use an alternate serialization mechanism by overriding the writeReplace method. However, the fields of each class were never marked as transient and as a result were incorrectly documented in the Serialized Form section of the javadoc.

CSR: https://bugs.openjdk.java.net/browse/JDK-8277128

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-4337793: Mark non-serializable fields of java.security.cert.Certificate and CertPath

Reviewers

• Valerie Peng (@valeriepeng - Reviewer)
• Roger Riggs (@RogerRiggs - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6392/head:pull/6392
$ git checkout pull/6392

Update a local copy of the PR:
$ git checkout pull/6392
$ git pull https://git.openjdk.java.net/jdk pull/6392/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 6392

View PR using the GUI difftool:
$ git pr show -t 6392

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6392.diff

[seanjmullan]

/csr

[bridgekeeper]

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@seanjmullan this pull request will not be integrated until the CSR request JDK-8277128 for issue JDK-4337793 has been approved.

[openjdk]

@seanjmullan The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 01: Full - Incremental (5bb207f7)
• 00: Full (98803b81)

[RogerRiggs]

The serialized form doc for both classes should say something about what is serialized.
Since it is using writeReplace, it can indicate that CertificateRep/CertPathRep is used instead (and the arguments).
likely you'll need to use the @serial javadoc tag and check the generated javadoc to verify.

[seanjmullan]

The serialized form doc for both classes should say something about what is serialized. Since it is using writeReplace, it can indicate that CertificateRep/CertPathRep is used instead (and the arguments). likely you'll need to use the @serial javadoc tag and check the generated javadoc to verify.

The writeReplace methods do have @serial tags, and they do show up in the Serialized Form of the javadoc, ex: https://docs.oracle.com/en/java/javase/17/docs/api/serialized-form.html#java.security.cert.Certificate

Is your comment more that these methods could more clearly specify what is returned?

[RogerRiggs]

The serialized form doc for both classes should say something about what is serialized. Since it is using writeReplace, it can indicate that CertificateRep/CertPathRep is used instead (and the arguments). likely you'll need to use the @serial javadoc tag and check the generated javadoc to verify.

The writeReplace methods do have @serial tags, and they do show up in the Serialized Form of the javadoc, ex: https://docs.oracle.com/en/java/javase/17/docs/api/serialized-form.html#java.security.cert.Certificate

Is your comment more that these methods could more clearly specify what is returned?

The @java.io.Serial annotation doesn't add any description to the generated javadoc or serialized form doc.

The javadoc in the serialized for says only: "Replace the Certificate to be serialized."
For my purposes it would enough to reword it to say it returns a CertificateRep holding the type and data or something similar.
The @serial javadoc tag might be useful but not necessary if the regular javadoc that is in the serialized form doc is concrete.

[seanjmullan]

The serialized form doc for both classes should say something about what is serialized. Since it is using writeReplace, it can indicate that CertificateRep/CertPathRep is used instead (and the arguments). likely you'll need to use the @serial javadoc tag and check the generated javadoc to verify.

The writeReplace methods do have @serial tags, and they do show up in the Serialized Form of the javadoc, ex: https://docs.oracle.com/en/java/javase/17/docs/api/serialized-form.html#java.security.cert.Certificate
Is your comment more that these methods could more clearly specify what is returned?

The @java.io.Serial annotation doesn't add any description to the generated javadoc or serialized form doc.

The javadoc in the serialized for says only: "Replace the Certificate to be serialized." For my purposes it would enough to reword it to say it returns a CertificateRep holding the type and data or something similar. The @serial javadoc tag might be useful but not necessary if the regular javadoc that is in the serialized form doc is concrete.

Sounds good, see the latest commit for improvements to writeReplace and a few other wording improvements in related methods/fields.

[openjdk]

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

4337793: Mark non-serializable fields of java.security.cert.Certificate and CertPath

Reviewed-by: valeriep, rriggs

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 126 new commits pushed to the master branch:

• ce4471f: 8277346: ProblemList 7 serviceability/sa tests on macosx-x64
• 45a60db: 8277045: G1: Remove unnecessary set_concurrency call in G1ConcurrentMark::weak_refs_work
• 6bb0462: 8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
• d8c0280: 8277316: ciReplay: dump_replay_data is not thread-safe
• 007ad7c: 8277303: Terminology mismatch between JLS17-3.9 and SE17's javax.lang.model.SourceVersion method specs
• 8881f29: 8277310: ciReplay: @CPI MethodHandle references not resolved
• 262d070: 8277246: Check for NonRepudiation as well when validating a TSA certificate
• a907b2b: 8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
• b687664: 8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points
• 8f5a8f7: 8264293: Create implementation for NSAccessibilityMenu protocol peer
• ... and 116 more: https://git.openjdk.java.net/jdk/compare/ea23e7333e03abb4aca3e9f3854bab418a4b70e2...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[seanjmullan]

/integrate

[openjdk]

Going to push as commit a44b45f.
Since your change was applied there have been 138 commits pushed to the master branch:

• b3a62b4: 8276795: Deprecate seldom used CDS flags
• 38345bd: 8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1
• 2c06bca: 8266368: Inaccurate after_unwind hook in C2 exception handler
• 77cc508: 8277215: Remove redundancy in ReferenceProcessor constructor args
• 0a65e8b: 8276794: Change nested classes in java.desktop to static nested classes
• db55f92: 8277343: dynamicArchive/SharedArchiveFileOption.java failed: '-XX:+RecordDynamicDumpInfo is unsupported when a dynamic CDS archive is specified in -XX:SharedArchiveFile:' missing
• 2f4b540: 8276314: [JVMCI] check alignment of call displacement during code installation
• 9160743: 8276058: Some swing test fails on specific CI macos system
• 8193800: 8274179: AArch64: Support SVE operations with encodable immediates
• b8453eb: 8275007: Java fails to start with null charset if LC_ALL is set to certain locales
• ... and 128 more: https://git.openjdk.java.net/jdk/compare/ea23e7333e03abb4aca3e9f3854bab418a4b70e2...master

Your commit was automatically rebased without conflicts.

[openjdk]

@seanjmullan Pushed as commit a44b45f.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.