JDK-6972386 : issues with String.toLowerCase/toUpperCase
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 7,8
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2010-07-27
  • Updated: 2017-01-05
  • Resolved: 2016-12-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
9 b151Fixed
Related Reports
Relates :  
In JDK codes, there are many string comparisons that looks like:

The String.toLowerCase/toUpperCase() equals to String.toLowerCase/toUpperCase(Locale.getDefault()). According to CR 6208680 and the spec of String.toLowerCase/toUpperCase(), for some special region, for example Turkish and Azeri, the conversion maybe locale-sensitive. For example, for Turkish, the "i" is not mapped to "I" with String.toUpperCase(). When the default locale of JVM is set to the special region, the above string comparisons will not be able to work as expected. 

Please check the JCE source code.

Just grepped with the following command: rgrep 'to\(Upper\|Lower\)Case..\.\(eq\|st\|con\)' and the only instance found in JCE was this: closed/solaris/classes/com/oracle/security/ucrypto/NativeCipherWithJavaPadding.java: if (paddingScheme.toUpperCase().equals("PKCS5PADDING")) { which doesn't seem to be an issue.

EVALUATION Found a few instances that were suspicious. Should check into it.