Keys, Certificates, and Object Serialization
Before we conclude this chapter, a brief word on object serialization, keys, and certificates. Keys and certificates are often transmitted electronically, and a reasonable mechanism for transmitting them between Java programs is to send them as serialized objects. In theory—and, most of the time, in practice—this is a workable solution. If you modify some of the examples in this chapter to save and restore serialized keys or certificates, that will certainly work in a testing environment.
A problem arises, however, when you send these serialized objects
between virtual machines that have two different security providers.
Let’s take the case of a DSA public key. When you create such a
key with the Sun security provider, you get an instance of the
sun.security.provider.DSAPublicKey
class. When
you create such a key with a third-party security provider, you may
get an instance of the com.xyz.XYZPublicKey
class. Although both public keys are extensions of the
PublicKey
class, they cannot be interchanged by
object serialization. Serializing a public key created with the Sun
security provider requires that the
sun.security.provider.DSAPublicKey
class be used, and deserialization creates an object of that type, no matter what security providers the deserializing virtual machine has installed. Whether or not the Sun security provider has been installed in the destination virtual machine is irrelevant. The process of deserializing the object ...
Get Java Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.