6

I'm trying to use javax.crypto.Cipher.doFinal(byte[]) method to encrypt an object. But, for security reasons, the object cannot be serializable. So, how to convert the object to byte array without serialization?

--update

is using serialization the only way to use this Cipher method? Because as I know important data should not be serializable.

Improve this question
6
  • 1
    And I guess equally importantly... convert it back again. Commented Apr 1, 2010 at 20:16
  • 1
    You want to serialize an object which "For security reason, the object cannot be serializable" Are you aware that serializable is used for converting the the object to a byte[]? Commented Apr 1, 2010 at 20:23
  • @Peter Lawrey please, see my update Commented Apr 5, 2010 at 12:20
  • @Tom Brito Just out of curiosity, why shouldn't important data be serializable? I hadn't heard of this. Commented Apr 8, 2010 at 16:44
  • 1
    @Bill K java.sun.com/security/seccodeguide.html Guideline 5-1 Avoid serialization for security-sensitive classes Commented Apr 9, 2010 at 13:32

5 Answers 5

Reset to default
4

I used com.fasterxml.jackson.databind.ObjectMapper.

  private static byte[] serialize(Object obj) throws IOException {
    ByteArrayOutputStream os = new ByteArrayOutputStream();
    ObjectMapper mapper = new ObjectMapper();
    mapper.enable(SerializationFeature.INDENT_OUTPUT);
    mapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
    mapper.writeValue(os, obj);

    return os.toByteArray();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

how we can deserialize that object.
Throws InvalidDefinitionException: No serializer found for class org.json.JSONObject and no properties discovered to create BeanSerializer
0

You just serialize each of it's components. Recurse. Eventually you end up with native objects that you can serialize.

If you implement this by implementing java's serialization methods, java will ensure that you do not serialize any object twice and will take care of references for you.

In short, make the object serializable.

Improve this answer

1 Comment

same as @Randy Simon's answer, see the comments
0

Solved, instead of use a getByteArray() to call Cipher.doFinal(), I'll use Cipher.doFinal() inside the class, with a getEncryptedByteArray() method; so I serialize the data inside the class without making the class itself serializable, and the return result will be encrypted. Any objection to this approach will be considered.. :)

Improve this answer

Comments

-1

Here is a simple example of serializing a class to a byte array.

public Class Foo {

    private boolean isHappy;
    private short happyCount;
    private Bar bar;

    public byte[] serializeData () throws IOException
    {
        ByteArrayOutputStream stream = new ByteArrayOutputStream();
        DataOutputStream out = new DataOutputStream( stream );

        out.writeBoolean(isHappy);
        out.writeShort( slope );

        // Serialize bar which will just append to this byte stream
        bar.doSerializeData(out);

        // Return the serialized object.
        byte[] data = stream.toByteArray();

        // Clean up.
        stream.close();

        return data;
    }
}

Of course, a lot of the details in your case depend on your class structure but hopefully this gets you pointed in the right direction.

To deserialize you just need to reverse the above.

Improve this answer

1 Comment

The same security considerations that dictated that the class should not be Serializable should dictate that this method not be written.
-1

java.beans.XMLEncoder/Decoder.

Improve this answer

1 Comment

Of course. Nothing you can do about that. It exists whether you like it or not, so therefore the class in question is insecure if it is XMLEncodable. What I think you need is a method in the class that delivers a SealedObject and that uses private member data to construct it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.