RFR 8072394: java.security.cert.PolicyQualifierInfo needs value-based equality

Florian Weimer fweimer at redhat.com
Tue Feb 17 14:30:30 UTC 2015

On 02/16/2015 11:13 PM, Sean Mullan wrote:

>> Based on that, PolicyQualifierInfo should have implemented value-based
>> equals() and hashCode(), and the identity-based set is just a bug.  (But
>> the requirement I cited is a stronger requirement the Set would not
>> enforce.)
>> However, I think it's too late to fix this bug now.  That's why I just
>> added the identity counter.  If you want the behavioral change instead,
>> I can implement that as well.
> Maybe it's not too late. This is not a commonly used class, and the
> compatibility risk is probably fairly low. If you code up the changes, I
> can file a CCC on your behalf.

Updated webrev: <http://cr.openjdk.java.net/~fweimer/8072394/webrev.01/>

I sneaked in a memory model fix to make the class really immutable, and
simplified the constructor a bit (mEncoded is already a copy, there is
no need for further copying).

There's also a new tested, mostly copied from the existing
GetPolicyQualifiers test.  (I didn't want to edit the existing test be
cause that sometimes causes trouble.)  The DER values were generated by
pyasn1 and verified using Peter Gutmann's dumpasn1.

I couldn't find any other tests for PolicyQualifierInfo, but you may
have closed tests that need adjusting.

Florian Weimer / Red Hat Product Security

More information about the security-dev mailing list