On Thu, 13 Jul 2023 08:51:23 GMT, Pavel Rappo <pra...@openjdk.org> wrote:
>> Please review this PR to use modern APIs and language features to simplify >> `equals` and `hashCode` in security area. >> >> I understand that security area is sensitive and a non-expert, such as >> myself, should tread carefully; so below are my notes to assist the review. >> >> * Unlike `hashCode`, non-secure `equals` implementations are typically >> short-circuit. But because of "timing attacks", we seem to have specialized >> implementations, such as `java.security.MessageDigest.isEqual(byte[], >> byte[])` and a more general `sun.security.util.ByteArrays.isEqual(byte[], >> int, int, byte[], int, int)`. So while reviewing this PR, take an >> opportunity to audit the affected `equals` implementations: perhaps some of >> them need to become secure, not modern. I have no domain knowledge to tell >> those cases apart, I only note that those cases exist. >> >> * This PR sacrifices compatibility for pragmatism: it changes some >> `hashCode` implementations to produce different values than before to allow >> more utilization of methods from `Objects` and `Arrays`. To my mind, those >> changes are **benign**. If you disagree, I'd be happy to discuss that and/or >> retract the concerning part of the change. >> >> * BitArray could be a topic of its own, but I'll do my best to be concise. >> >> * Truth to be told, BitArray's `equals` and `hashCode` are not used >> anywhere in source, and `equals` is only used in one test. For that reason, >> I refrained from reimplementing internals of `BitArray` using more general >> `java.util.BitSet`: too much effort and risk for almost nothing. >> * Speaking of `BitSet`-powered `BitArray`. Such an implementation is not >> for the faint of heart: there's too much impedance mismatch between data >> structures that those classes use to store bits. That said, for the sake of >> testing that it is possible and that I understand the `BitArray` correctly, >> I actually implemented it using `BitSet`. While that implementation is >> **NOT** part of this PR, you can have a look at it >> [here](https://cr.openjdk.org/~prappo/8311170/BitArray.java). >> >> * One suggestion to consider is to change this somewhat arcane piece in >> java.security.UnresolvedPermission.equals: >> >> // check certs >> if (this.certs == null && that.certs != null || >> this.certs != null && that.certs == null || >> this.certs != null && >> this.certs.length != that.certs.length) { >> return false; >> } >> >> int i,j; >> boolea... > > Pavel Rappo has updated the pull request with a new target base due to a > merge or a rebase. The incremental webrev excludes the unrelated changes > brought in by the merge/rebase. The pull request contains 12 additional > commits since the last revision: > > - Much more cases: apologies for extra review work > - Merge branch 'master' into 8311170 > - Merge branch 'master' into 8311170 > - Reflow previously missed doc comment > - Reflow doc comment as suggested > - Revert for readability > - Merge branch 'master' into 8311170 > - Be consistent with the rest of the change > - Fix reported bugs > - Add even more cases and tidy up > - ... and 2 more: https://git.openjdk.org/jdk/compare/bb8f1401...457b9c56 Look good, lots of nice cleanup. src/java.base/share/classes/javax/crypto/CryptoPolicyParser.java line 627: > 625: retval ^= maxKeySize; > 626: retval ^= (checkParam ? 100 : 0); > 627: retval ^= Objects.hashCode(algParamSpec); After this change, someone will wonder why the code does all the intermediate assignments. return Objects.hashCode(alg) ^ Objects.hashCode(exemptionMechanism) ^ (checkParam ? 100 : 0) ^ Objects.hashCode(algParamSpec); } Here and elsewhere... src/java.base/share/classes/sun/security/x509/DistributionPoint.java line 351: > 349: hash += Objects.hashCode(relativeName); > 350: hash += Objects.hash(crlIssuer); > 351: hash += Arrays.hashCode(reasonFlags); Another case where the intermediate assignments look unnecessary. ------------- Marked as reviewed by rriggs (Reviewer). PR Review: https://git.openjdk.org/jdk/pull/14738#pullrequestreview-1528668165 PR Review Comment: https://git.openjdk.org/jdk/pull/14738#discussion_r1262696059 PR Review Comment: https://git.openjdk.org/jdk/pull/14738#discussion_r1262705536
