-
Bug
-
Resolution: Fixed
-
P4
-
5.0
-
beta
-
x86
-
windows_nt
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2157241 | 5.0-pool | Mala Bankal | P4 | Closed | Won't Fix |
FULL PRODUCT VERSION :
java version "1.5.0_04"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_04-b05)
Java HotSpot(TM) Client VM (build 1.5.0_04-b05, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows NT Version 4.0
A DESCRIPTION OF THE PROBLEM :
java.security.CodeSource#equals is no longer symmetric as required by the contract of java.lang.Object#equals
The bug appears when comparing two CodeSource instances with the same location and different certificates, in the special case that the certificate array is null for one CodeSource instance.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Use the source code attached to this bug report and the self-signed certificate below (or any other certificate) to reproduce the bug.
-----BEGIN CERTIFICATE-----
MIIDMzCCAvACBELKkokwCwYHKoZIzjgEAwUAMH8xCzAJBgNVBAYTAkJVMRQwEgYDVQQIEwtCdWdn
eWZvcm5pYTEQMA4GA1UEBxMHQnVndG93bjEaMBgGA1UEChMRQnVnIFRyYXBwZXJzIEluYy4xEzAR
BgNVBAsTCkJ1Z2d5IEluYy4xFzAVBgNVBAMTDkR1a2UgSmF2aW5ndG9uMB4XDTA1MDcwNTE0MDA0
MVoXDTA1MTAwMzE0MDA0MVowfzELMAkGA1UEBhMCQlUxFDASBgNVBAgTC0J1Z2d5Zm9ybmlhMRAw
DgYDVQQHEwdCdWd0b3duMRowGAYDVQQKExFCdWcgVHJhcHBlcnMgSW5jLjETMBEGA1UECxMKQnVn
Z3kgSW5jLjEXMBUGA1UEAxMORHVrZSBKYXZpbmd0b24wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA
/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA
HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu
K2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5
eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjg
o64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOB
hAACgYAd6b/L1MGKu0UJ0rbTENoO9NH3cHBiyMx0Jv4U2v0McrJ0Nw525U04iepIFPjkYOizoQRA
6Rtwaqht85+mpDUA3mMkM/fH4cggX1DPX5CR5xxPBTLuSalkQ/lbEl9SlCkUSz3y88MILlDwtAEz
glJJNUOSb+EO0Sw1xaIlCx6LkjALBgcqhkjOOAQDBQADMAAwLQIUNdALyqGGYlBMhyWeue+yj8+6
DqICFQCCmgKGpqvZayXAFolWgrLnLJTJCg==
-----END CERTIFICATE-----
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Here is the (correct) output from older JDK's:
1.3.1_11-b02
cs1.equals(cs2) = false
cs2.equals(cs1) = false
1.4.1_05-b01
cs1.equals(cs2) = false
cs2.equals(cs1) = false
1.4.2_08-b03
cs1.equals(cs2) = false
cs2.equals(cs1) = false
ACTUAL -
1.5.0_02-b09
cs1.equals(cs2) = true
cs2.equals(cs1) = false
1.5.0_04-b05
cs1.equals(cs2) = true
cs2.equals(cs1) = false
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URL;
import java.security.CodeSource;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
public class CodeSourceEqualsTest
{
public static void main(String[] args) throws CertificateException, IOException
{
//--- args[0] must point to a file containing (at least) one certificate
File certFile = new File(args[0]);
FileInputStream fis = new FileInputStream(certFile);
BufferedInputStream bis = new BufferedInputStream(fis);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ArrayList certs = new ArrayList();
//--- read certificate(s)
while (bis.available() > 0) {
Certificate cert = cf.generateCertificate(bis);
certs.add(cert);
}
URL location = certFile.toURL();
CodeSource cs1 = new CodeSource(location,(Certificate[])null);
CodeSource cs2 = new CodeSource(location,(Certificate[])certs.toArray(new Certificate[certs.size()]));
System.out.println(System.getProperty("java.vm.version"));
System.out.println("cs1.equals(cs2) = " + cs1.equals(cs2));
System.out.println("cs2.equals(cs1) = " + cs2.equals(cs1));
}
}
---------- END SOURCE ----------
Release Regression From : 1.4.2_05
The above release value was the last known release where this
bug was known to work. Since then there has been a regression.
###@###.### 2005-07-20 06:52:28 GMT
java version "1.5.0_04"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_04-b05)
Java HotSpot(TM) Client VM (build 1.5.0_04-b05, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows NT Version 4.0
A DESCRIPTION OF THE PROBLEM :
java.security.CodeSource#equals is no longer symmetric as required by the contract of java.lang.Object#equals
The bug appears when comparing two CodeSource instances with the same location and different certificates, in the special case that the certificate array is null for one CodeSource instance.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Use the source code attached to this bug report and the self-signed certificate below (or any other certificate) to reproduce the bug.
-----BEGIN CERTIFICATE-----
MIIDMzCCAvACBELKkokwCwYHKoZIzjgEAwUAMH8xCzAJBgNVBAYTAkJVMRQwEgYDVQQIEwtCdWdn
eWZvcm5pYTEQMA4GA1UEBxMHQnVndG93bjEaMBgGA1UEChMRQnVnIFRyYXBwZXJzIEluYy4xEzAR
BgNVBAsTCkJ1Z2d5IEluYy4xFzAVBgNVBAMTDkR1a2UgSmF2aW5ndG9uMB4XDTA1MDcwNTE0MDA0
MVoXDTA1MTAwMzE0MDA0MVowfzELMAkGA1UEBhMCQlUxFDASBgNVBAgTC0J1Z2d5Zm9ybmlhMRAw
DgYDVQQHEwdCdWd0b3duMRowGAYDVQQKExFCdWcgVHJhcHBlcnMgSW5jLjETMBEGA1UECxMKQnVn
Z3kgSW5jLjEXMBUGA1UEAxMORHVrZSBKYXZpbmd0b24wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA
/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA
HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu
K2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5
eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjg
o64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOB
hAACgYAd6b/L1MGKu0UJ0rbTENoO9NH3cHBiyMx0Jv4U2v0McrJ0Nw525U04iepIFPjkYOizoQRA
6Rtwaqht85+mpDUA3mMkM/fH4cggX1DPX5CR5xxPBTLuSalkQ/lbEl9SlCkUSz3y88MILlDwtAEz
glJJNUOSb+EO0Sw1xaIlCx6LkjALBgcqhkjOOAQDBQADMAAwLQIUNdALyqGGYlBMhyWeue+yj8+6
DqICFQCCmgKGpqvZayXAFolWgrLnLJTJCg==
-----END CERTIFICATE-----
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Here is the (correct) output from older JDK's:
1.3.1_11-b02
cs1.equals(cs2) = false
cs2.equals(cs1) = false
1.4.1_05-b01
cs1.equals(cs2) = false
cs2.equals(cs1) = false
1.4.2_08-b03
cs1.equals(cs2) = false
cs2.equals(cs1) = false
ACTUAL -
1.5.0_02-b09
cs1.equals(cs2) = true
cs2.equals(cs1) = false
1.5.0_04-b05
cs1.equals(cs2) = true
cs2.equals(cs1) = false
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URL;
import java.security.CodeSource;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
public class CodeSourceEqualsTest
{
public static void main(String[] args) throws CertificateException, IOException
{
//--- args[0] must point to a file containing (at least) one certificate
File certFile = new File(args[0]);
FileInputStream fis = new FileInputStream(certFile);
BufferedInputStream bis = new BufferedInputStream(fis);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ArrayList certs = new ArrayList();
//--- read certificate(s)
while (bis.available() > 0) {
Certificate cert = cf.generateCertificate(bis);
certs.add(cert);
}
URL location = certFile.toURL();
CodeSource cs1 = new CodeSource(location,(Certificate[])null);
CodeSource cs2 = new CodeSource(location,(Certificate[])certs.toArray(new Certificate[certs.size()]));
System.out.println(System.getProperty("java.vm.version"));
System.out.println("cs1.equals(cs2) = " + cs1.equals(cs2));
System.out.println("cs2.equals(cs1) = " + cs2.equals(cs1));
}
}
---------- END SOURCE ----------
Release Regression From : 1.4.2_05
The above release value was the last known release where this
bug was known to work. Since then there has been a regression.
###@###.### 2005-07-20 06:52:28 GMT
- backported by
-
JDK-2157241 REGRESSION: java.security.CodeSource#equals not symmetric
-
- Closed
-