-
Bug
-
Resolution: Unresolved
-
P4
-
8, 25
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
The Javadoc for `java.security.CodeSource.implies(CodeSource codesource)` specifies rules for certificate matching. One rule states: "If this object's certificates are not null, then all of this object's certificates must be present in codesource's certificates."
Logically, if "this object's certificates" is an empty array (e.g., `new Certificate[0]`), the condition "all of this object's certificates must be present in codesource's certificates" should be vacuously true, regardless of whether `codesource`'s certificates are null or an empty/non-empty array. This is because there are no certificates in `this` object's list that could fail to be present in `codesource`'s list.
However, observed behavior (or analysis `implies` and `matchCerts` function that checks `that.certs != null`) might suggest that if `this.certs` is non-null (even if empty) and `codesource.certs` is null, the implication for certificates might evaluate to false, leading the overall `implies()` method to return false (assuming location matches).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
In my opinion, follow the current javadoc. The result is no Exception.
ACTUAL -
Throw Exception
---------- BEGIN SOURCE ----------
URL url = new URL("http://localhost/file");
CodeSource csEmpty = new CodeSource(url, new Certificate[0]);
CodeSource csNull = new CodeSource(url, (Certificate[]) null);
if (!csEmpty.implies(csNull)) {
throw new SecurityException("Empty certificates should imply null certificates");
}
---------- END SOURCE ----------
The Javadoc for `java.security.CodeSource.implies(CodeSource codesource)` specifies rules for certificate matching. One rule states: "If this object's certificates are not null, then all of this object's certificates must be present in codesource's certificates."
Logically, if "this object's certificates" is an empty array (e.g., `new Certificate[0]`), the condition "all of this object's certificates must be present in codesource's certificates" should be vacuously true, regardless of whether `codesource`'s certificates are null or an empty/non-empty array. This is because there are no certificates in `this` object's list that could fail to be present in `codesource`'s list.
However, observed behavior (or analysis `implies` and `matchCerts` function that checks `that.certs != null`) might suggest that if `this.certs` is non-null (even if empty) and `codesource.certs` is null, the implication for certificates might evaluate to false, leading the overall `implies()` method to return false (assuming location matches).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
In my opinion, follow the current javadoc. The result is no Exception.
ACTUAL -
Throw Exception
---------- BEGIN SOURCE ----------
URL url = new URL("http://localhost/file");
CodeSource csEmpty = new CodeSource(url, new Certificate[0]);
CodeSource csNull = new CodeSource(url, (Certificate[]) null);
if (!csEmpty.implies(csNull)) {
throw new SecurityException("Empty certificates should imply null certificates");
}
---------- END SOURCE ----------