From d9552c823ce0c3d86ce7c282885800363e63d2e4 Mon Sep 17 00:00:00 2001
From: adilburaksen <adilburaksen@gmail.com>
Date: Tue, 9 Jun 2026 22:47:24 +0300
Subject: [PATCH] Report malformed JSON keyset fields as IOException instead of
 an uncaught exception

JsonKeysetReader.read()/readEncrypted() declare `throws IOException`, and the
public TinkJsonProtoKeysetFormat.parseKeyset* helpers wrap that into
`throws GeneralSecurityException`. When a JSON keyset sets a string-typed field
(e.g. "status", "typeUrl", "keyMaterialType", "value", "encryptedKeyset") to a
JSON object or array, gson's JsonElement.getAsString() throws
UnsupportedOperationException, a RuntimeException not covered by the existing
`catch (JsonParseException | IllegalStateException)`. It then propagates
uncaught, past the documented IOException / GeneralSecurityException contract,
so a caller parsing an untrusted (e.g. public) keyset that only handles the
declared exceptions crashes.

Add UnsupportedOperationException to the catch clauses so malformed input is
reported as IOException, consistent with other parse errors.
---
 src/main/java/com/google/crypto/tink/JsonKeysetReader.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/google/crypto/tink/JsonKeysetReader.java b/src/main/java/com/google/crypto/tink/JsonKeysetReader.java
index 2bd68988b..3baa18085 100644
--- a/src/main/java/com/google/crypto/tink/JsonKeysetReader.java
+++ b/src/main/java/com/google/crypto/tink/JsonKeysetReader.java
@@ -163,7 +163,7 @@ public Keyset read() throws IOException {
     try {
       return keysetFromJson(
           JsonParser.parse(new String(Util.readAll(inputStream), UTF_8)).getAsJsonObject());
-    } catch (JsonParseException | IllegalStateException e) {
+    } catch (JsonParseException | IllegalStateException | UnsupportedOperationException e) {
       throw new IOException(e);
     } finally {
       if (inputStream != null) {
@@ -177,7 +177,7 @@ public EncryptedKeyset readEncrypted() throws IOException {
     try {
       return encryptedKeysetFromJson(
           JsonParser.parse(new String(Util.readAll(inputStream), UTF_8)).getAsJsonObject());
-    } catch (JsonParseException | IllegalStateException e) {
+    } catch (JsonParseException | IllegalStateException | UnsupportedOperationException e) {
       throw new IOException(e);
     } finally {
       if (inputStream != null) {