On 02/13/2015 08:43 PM, Sean Mullan wrote: > This fix looks fine, but I am trying to remember why a Set/LinkedHashSet > was used in the first place, it seem like an List/ArrayList would have > been more suitable. Even though PolicyInformation is an internal class, > it's probably better to not change that detail at this point unless we > have a better reason.
I think the Set is part of the public API: <http://docs.oracle.com/javase/8/docs/api/java/security/cert/PolicyNode.html#getPolicyQualifiers--> RFC 5280 says this: “A certificate policy OID MUST NOT appear more than once in a certificate policies extension.” (Section 4.2.4.1) Based on that, PolicyQualifierInfo should have implemented value-based equals() and hashCode(), and the identity-based set is just a bug. (But the requirement I cited is a stronger requirement the Set would not enforce.) However, I think it's too late to fix this bug now. That's why I just added the identity counter. If you want the behavioral change instead, I can implement that as well. > Can you add a noreg-perf label to the bug? Done, perhaps prematurely. -- Florian Weimer / Red Hat Product Security
