[RFC][icedtea-web] extend reproducers engine for signed applications
Jiri Vanek
jvanek at redhat.com
Thu Sep 22 05:52:47 PDT 2011
On 09/21/2011 06:55 PM, Omair Majid wrote:
> On 09/21/2011 06:19 AM, Jiri Vanek wrote:
>> On 09/20/2011 09:13 PM, Omair Majid wrote:
>>> On 09/20/2011 10:42 AM, Jiri Vanek wrote:
>>>> Hi!
>> ...
>>>> "accepted" to icedtea-web.
>>>> I was afraid, tahat -XtrustAll could be misused in way described in
>>>> ReadPropertiesBySignedHack (included in *xtrustAllHack*) - that
...
>> including it).
>>
>
> It's really up to you. If you want to add it, I will be happy to review it.
added again
>
>>>
>>>> @@ -635,6 +665,20 @@
>...
>>
>
> It might be better to use autoconf for this. See jrunscript for an example. It's okay to do that as a separate patch though. This is fine for now.
Ok, thank you.
>
...
>
> 80 (or something else that is somewhat reasonable) columns please.
done
>
>> +public class ReadPropertiesSigned {
>> +
>> +/**
>> +*some system property is expected as arg[0], eg user.name or user.home
>> +*/
>
> Indentation is a little off.
>
>> + public static void main(String[] args) {
>> + System.out.println(System.getProperty(args[0]));
>> + }
>> +}
>> diff -r e9a9792ee189 tests/jnlp_tests/signed/ReadPropertiesSigned/testcases/ReadPropertiesSignedTest.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/jnlp_tests/signed/ReadPropertiesSigned/testcases/ReadPropertiesSignedTest.java Wed Sep 21 11:03:01 2011 +0200
>> +public class ReadPropertiesSignedTest {
>> +
>> + private static ServerAccess server = new ServerAccess();
>> + private final List<String> l=Collections.unmodifiableList(Arrays.asList(new String[] {"-Xtrustall"}));
>> +
>> +
>> + public ReadPropertiesSignedTest() {
>> +
>> + }
>> +
>
> Perhaps this can be removed?
>
done
>> +
...
>> + }
>> +
>> + @Test
>
> Formatting issue?
done ( I hope all formating issues are now ok.)
>
>> + public void EnsureXtrustallNotAffectingUnsignedBehaviour() throws Exception {
...>> + }
>
> Cheers,
> Omair
Changes to last patch
-formatting issues
-removed empty constructors
-added again xtrustAllHack
In your responses there is no criticism for xtrustAll patch. Is it ok to push? Also in last response there is no criticism of signed reproducers engine itself - ok to push?
Also I hope signedReproducersExample willbe finally ok.
Thanx a lot!
J.
changelogs:
signedReproducersEngine:
2011-09-22 Jiri Vanek <jvanek at redhat.com>
Added signed reproducers engine
*Makefile.am added variable KEYSTORE_NAME
(stamps/junit-jnlp-dist-dirs): creates stamp and depend on next two targets
(junit-jnlp-dist-simple.txt): creates list of simple reproducers, extracted from ^
(junit-jnlp-dist-signed.txt): creates list of signed reproducers
(stamps/netx-dist-tests-prepare-reproducers.stamp): now traverse over signed and simple
(stamps/netx-dist-tests-sign-some-reproducers.stamp): depends on ^, traverse through signed reproducers and sign them
(stamps/netx-dist-tests-compile-testcases.stamp): now traverse over signed and simple
(stamps/bootstrap-directory.stamp): creates symlinks/stubs to jarsigner and keytool
(clean-netx-dist-tests):remove new stamps, signed and simple list and keysstore
*acinclude.m4: declared to proceed IT_FIND_KEYTOOL and IT_FIND_JARSIGNER macro
*configure.ac: declared macros to check for keytool and jarsigner
*tests/jnlp_tests/README: mentioned signed directory
xtrustAll:
2011-09-22 Jiri Vanek <jvanek at redhat.com>
*netx/net/sourceforge/jnlp/runtime/Boot.java: (main): added logic to handle -Xtrustall option
*netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java: declared private static boolean trustAll=false; with public getter and pkg.private setter
*netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: (checkTrustWithUser): modified, when XtrustAll declared, then user is not asked and certificate is trusted
*netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java: (askUser): --||--
xtrustAllHack:
2011-09-22 Jiri Vanek <jvanek at redhat.com>
*tests/jnlp_tests/signed/ReadPropertiesBySignedHack/resources/ReadPropertiesBySignedHack.jnlp: jnlp file to lunch ReadPropertiesBySignedHack, notice please dependenci on ReadProperties.jar from simple reproducers
*tests/jnlp_tests/signed/ReadPropertiesBySignedHack/srcs/ReadPropertiesBySignedHack.java - this reproducers verify, that even reflection-by enabled XtrustAll will not allow to lunch unsigned code
*tests/jnlp_tests/signed/ReadPropertiesBySignedHack/testcases/ReadPropertiesBySignedHackTest.java: testcase for ^
signedReproducersExample:
2011-09-22 Jiri Vanek <jvanek at redhat.com>
*tests/jnlp_tests/signed/ReadPropertiesSigned/resources/ReadPropertiesSigned1.jnlp:
*tests/jnlp_tests/signed/ReadPropertiesSigned/resources/ReadPropertiesSigned2.jnlp:
*tests/jnlp_tests/signed/ReadPropertiesSigned/testcases/ReadPropertiesSignedTest.java:
*tests/jnlp_tests/signed/ReadPropertiesSigned/srcs/ReadPropertiesSigned.java: ^,^^, ^^^ example of signed reproducer
*tests/jnlp_tests/simple/ReadProperties/srcs/ReadProperties.java: now prints out got variable for comparsion with ^
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: xtrustAllHack
Url: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110922/374a5e90/xtrustAllHack.ksh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: xtrustAll
Url: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110922/374a5e90/xtrustAll.ksh
-------------- next part --------------
diff -r e9a9792ee189 Makefile.am
--- a/Makefile.am Thu Sep 15 15:27:40 2011 +0200
+++ b/Makefile.am Thu Sep 22 14:29:14 2011 +0200
@@ -22,6 +22,7 @@
JNLP_TESTS_ENGINE_DIR=$(TESTS_DIR)/netx/jnlp_testsengine
JNLP_TESTS_SERVER_DEPLOYDIR=$(TESTS_DIR)/jnlp_test_server
JNLP_TESTS_DIR=$(TESTS_DIR)/jnlp_tests
+KEYSTORE_NAME=teststore.ks
JUNIT_RUNNER_JAR=$(abs_top_builddir)/junit-runner.jar
@@ -455,39 +456,61 @@
@junit-runner-source-files.txt && \
$(BOOT_DIR)/bin/jar cf $@ -C $(JUNIT_RUNNER_DIR) .
-junit-jnlp-dist-dirs.txt:
+stamps/junit-jnlp-dist-dirs: junit-jnlp-dist-simple.txt junit-jnlp-dist-signed.txt
mkdir -p $(JNLP_TESTS_SERVER_DEPLOYDIR)
mkdir -p $(JNLP_TESTS_DIR)
mkdir -p $(JNLP_TESTS_ENGINE_DIR)
+ touch $@
+
+junit-jnlp-dist-simple.txt:
cd $(JNLP_TESTS_SRCDIR)/simple/ ; \
find . -maxdepth 1 -mindepth 1 | sed "s/.\/*//" > $(abs_top_builddir)/$@
-stamps/netx-dist-tests-prepare-reproducers.stamp: junit-jnlp-dist-dirs.txt
- simpleReproducers=(`cat $(abs_top_builddir)/junit-jnlp-dist-dirs.txt `); \
- for dir in "$${simpleReproducers[@]}" ; do \
- echo "processing: $$dir" ; \
- mkdir -p $(JNLP_TESTS_DIR)/$$dir ; \
- d=`pwd` ; \
- cd $(JNLP_TESTS_SRCDIR)/simple/$$dir/srcs/ ; \
- srcFiles=`find . -mindepth 1 -type f -name "*.java" | sed "s/.\/*//"` ; \
- notSrcFiles=`find . -mindepth 1 -type f \! -name "*.java" | sed "s/.\/*//"` ; \
- $(BOOT_DIR)/bin/javac -d $(JNLP_TESTS_DIR)/$$dir/ $$srcFiles ; \
- if [ -n "$$notSrcFiles" ] ; then \
- cp -R --parents $$notSrcFiles $(JNLP_TESTS_DIR)/$$dir/ ; \
- fi ; \
- cd $(JNLP_TESTS_DIR)/$$dir/ ; \
- $(BOOT_DIR)/bin/jar cf $(JNLP_TESTS_SERVER_DEPLOYDIR)/$$dir.jar * ; \
- cd $$d ; \
- cp -R $(JNLP_TESTS_SRCDIR)/simple/$$dir/resources/* $(JNLP_TESTS_SERVER_DEPLOYDIR)/ ; \
+junit-jnlp-dist-signed.txt:
+ cd $(JNLP_TESTS_SRCDIR)/signed/ ; \
+ find . -maxdepth 1 -mindepth 1 | sed "s/.\/*//" > $(abs_top_builddir)/$@
+
+stamps/netx-dist-tests-prepare-reproducers.stamp: stamps/junit-jnlp-dist-dirs
+ types=(simple signed); \
+ for which in "$${types[@]}" ; do \
+ simpleReproducers=(`cat $(abs_top_builddir)/junit-jnlp-dist-$$which.txt `); \
+ for dir in "$${simpleReproducers[@]}" ; do \
+ echo "processing: $$dir" ; \
+ mkdir -p $(JNLP_TESTS_DIR)/$$dir ; \
+ d=`pwd` ; \
+ cd $(JNLP_TESTS_SRCDIR)/$$which/$$dir/srcs/ ; \
+ srcFiles=`find . -mindepth 1 -type f -name "*.java" | sed "s/.\/*//"` ; \
+ notSrcFiles=`find . -mindepth 1 -type f \! -name "*.java" | sed "s/.\/*//"` ; \
+ $(BOOT_DIR)/bin/javac -d $(JNLP_TESTS_DIR)/$$dir/ $$srcFiles ; \
+ if [ -n "$$notSrcFiles" ] ; then \
+ cp -R --parents $$notSrcFiles $(JNLP_TESTS_DIR)/$$dir/ ; \
+ fi ; \
+ cd $(JNLP_TESTS_DIR)/$$dir/ ; \
+ $(BOOT_DIR)/bin/jar cf $(JNLP_TESTS_SERVER_DEPLOYDIR)/$$dir.jar * ; \
+ cd $$d ; \
+ cp -R $(JNLP_TESTS_SRCDIR)/$$which/$$dir/resources/* $(JNLP_TESTS_SERVER_DEPLOYDIR)/ ; \
+ done ; \
done ; \
mkdir -p stamps && \
touch $@
+stamps/netx-dist-tests-sign-some-reproducers.stamp: stamps/netx-dist-tests-prepare-reproducers.stamp
+ alias=icedteaweb; \
+ keystore=$(abs_top_builddir)/$(KEYSTORE_NAME); \
+ pass=123456789; \
+ $(BOOT_DIR)/bin/keytool -genkey -alias $$alias -keystore $$keystore -keypass $$pass -storepass $$pass -dname "cn=$$alias, ou=$$alias, o=$$alias, c=$$alias" ; \
+ signedReproducers=(`cat $(abs_top_builddir)/junit-jnlp-dist-signed.txt `); \
+ for dir in "$${signedReproducers[@]}" ; do \
+ $(BOOT_DIR)/bin/jarsigner -keystore $$keystore -storepass $$pass -keypass $$pass $(JNLP_TESTS_SERVER_DEPLOYDIR)/$$dir.jar $$alias ; \
+ done ; \
+ mkdir -p stamps && \
+ touch $@
+
netx-dist-tests-source-files.txt:
find $(JNLP_TESTS_ENGINE_SRCDIR) -name '*.java' | sort > $@
stamps/netx-dist-tests-compile.stamp: stamps/netx.stamp \
- junit-jnlp-dist-dirs.txt netx-dist-tests-source-files.txt
+ stamps/junit-jnlp-dist-dirs netx-dist-tests-source-files.txt
$(BOOT_DIR)/bin/javac $(IT_JAVACFLAGS) \
-d $(JNLP_TESTS_ENGINE_DIR) \
-classpath $(JUNIT_JAR):$(NETX_DIR)/lib/classes.jar \
@@ -495,19 +518,22 @@
mkdir -p stamps && \
touch $@
-stamps/netx-dist-tests-compile-testcases.stamp: stamps/netx.stamp junit-jnlp-dist-dirs.txt\
+stamps/netx-dist-tests-compile-testcases.stamp: stamps/netx.stamp stamps/junit-jnlp-dist-dirs \
netx-dist-tests-source-files.txt stamps/netx-dist-tests-compile.stamp
- simpleReproducers=(`cat $(abs_top_builddir)/junit-jnlp-dist-dirs.txt `); \
- for dir in "$${simpleReproducers[@]}" ; do \
- $(BOOT_DIR)/bin/javac $(IT_JAVACFLAGS) \
- -d $(JNLP_TESTS_ENGINE_DIR) \
- -classpath $(JUNIT_JAR):$(NETX_DIR)/lib/classes.jar:$(JNLP_TESTS_ENGINE_DIR) \
- $(JNLP_TESTS_SRCDIR)/simple/$$dir/testcases/* ; \
+ types=(simple signed); \
+ for which in "$${types[@]}" ; do \
+ simpleReproducers=(`cat $(abs_top_builddir)/junit-jnlp-dist-$$which.txt `); \
+ for dir in "$${simpleReproducers[@]}" ; do \
+ $(BOOT_DIR)/bin/javac $(IT_JAVACFLAGS) \
+ -d $(JNLP_TESTS_ENGINE_DIR) \
+ -classpath $(JUNIT_JAR):$(NETX_DIR)/lib/classes.jar:$(JNLP_TESTS_ENGINE_DIR) \
+ $(JNLP_TESTS_SRCDIR)/$$which/$$dir/testcases/* ; \
+ done ; \
done ; \
mkdir -p stamps && \
touch $@
-run-netx-dist-tests: all-local stamps/netx.stamp junit-jnlp-dist-dirs.txt stamps/netx-dist-tests-prepare-reproducers.stamp \
+run-netx-dist-tests: all-local stamps/netx.stamp stamps/junit-jnlp-dist-dirs stamps/netx-dist-tests-sign-some-reproducers.stamp \
stamps/netx-dist-tests-compile.stamp stamps/netx-dist-tests-compile-testcases.stamp $(JUNIT_RUNNER_JAR) $(TESTS_DIR)/$(REPORT_STYLES_DIRNAME)
cd $(JNLP_TESTS_ENGINE_DIR) ; \
class_names= ; \
@@ -590,10 +616,14 @@
rm -rf $(JNLP_TESTS_DIR)
rm -rf $(JNLP_TESTS_SERVER_DEPLOYDIR)
rm -rf $(JNLP_TESTS_ENGINE_DIR)
+ rm -f stamps/junit-jnlp-dist-dirs
rm -f stamps/netx-dist-tests-compile.stamp
rm -f stamps/netx-dist-tests-prepare-reproducers.stamp
rm -f stamps/netx-dist-tests-compile-testcases.stamp
- rm -f junit-jnlp-dist-dirs.txt
+ rm -f stamps/netx-dist-tests-sign-some-reproducers.stamp
+ rm -f junit-jnlp-dist-simple.txt
+ rm -f junit-jnlp-dist-signed.txt
+ rm -f $(abs_top_builddir)/$(KEYSTORE_NAME)
# plugin tests
@@ -635,6 +665,20 @@
ln -sf $(JAR) $(BOOT_DIR)/bin/jar
ln -sf $(abs_top_builddir)/javac $(BOOT_DIR)/bin/javac
ln -sf $(JAVADOC) $(BOOT_DIR)/bin/javadoc
+ if [ -e "$(KEYTOOL)" ] ; then \
+ ln -sf $(KEYTOOL) $(BOOT_DIR)/bin/keytool ;\
+ else \
+ echo "#! /bin/sh" > $(BOOT_DIR)/bin/keytool ;\
+ echo "echo \"keytool not exist on your system, signed part of reproducers test will fail\"" >> $(BOOT_DIR)/bin/keytool ;\
+ chmod 777 $(BOOT_DIR)/bin/keytool ;\
+ fi
+ if [ -e "$(JARSIGNER)" ] ; then \
+ ln -sf $(JARSIGNER) $(BOOT_DIR)/bin/jarsigner ;\
+ else \
+ echo "#! /bin/sh" > $(BOOT_DIR)/bin/jarsigner ;\
+ echo "echo \"jarsigner not exist on your system, signed part of reproducers test will fail\"" >> $(BOOT_DIR)/bin/jarsigner ;\
+ chmod 777 $(BOOT_DIR)/bin/jarsigner ;\
+ fi
mkdir -p $(BOOT_DIR)/jre/lib && \
ln -s $(SYSTEM_JRE_DIR)/lib/rt.jar $(BOOT_DIR)/jre/lib && \
if [ -e $(SYSTEM_JRE_DIR)/lib/jsse.jar ] ; then \
diff -r e9a9792ee189 acinclude.m4
--- a/acinclude.m4 Thu Sep 15 15:27:40 2011 +0200
+++ b/acinclude.m4 Thu Sep 22 14:29:14 2011 +0200
@@ -655,6 +655,64 @@
AC_SUBST(JAVA)
])
+AC_DEFUN_ONCE([IT_FIND_KEYTOOL],
+[
+ AC_REQUIRE([IT_CHECK_FOR_JDK])
+ AC_MSG_CHECKING([for keytool])
+ AC_ARG_WITH([keytool],
+ [AS_HELP_STRING(--with-keytool,specify location of keytool for signed part of run-netx-dist)],
+ [
+ if test "${withval}" = "yes" ; then
+ KEYTOOL=${SYSTEM_JDK_DIR}/bin/keytool
+ else
+ KEYTOOL="${withval}"
+ fi
+ ],
+ [
+ KEYTOOL=${SYSTEM_JDK_DIR}/bin/keytool
+ ])
+ if ! test -f "${KEYTOOL}"; then
+ AC_PATH_PROG(KEYTOOL, keytool)
+ fi
+ if ! test -f "${KEYTOOL}"; then
+ KEYTOOL=""
+ fi
+ if test -z "${KEYTOOL}" ; then
+ AC_MSG_WARN("keytool not found so signed part of run-netx-dist will fail")
+ fi
+ AC_MSG_RESULT(${KEYTOOL})
+ AC_SUBST(KEYTOOL)
+])
+
+AC_DEFUN_ONCE([IT_FIND_JARSIGNER],
+[
+ AC_REQUIRE([IT_CHECK_FOR_JDK])
+ AC_MSG_CHECKING([for jarsigner])
+ AC_ARG_WITH([jarsigner],
+ [AS_HELP_STRING(--with-jarsigner,specify location of jarsigner for signed part od run-netx-dist)],
+ [
+ if test "${withval}" = "yes" ; then
+ JARSIGNER=${SYSTEM_JDK_DIR}/bin/jarsigner
+ else
+ JARSIGNER="${withval}"
+ fi
+ ],
+ [
+ JARSIGNER=${SYSTEM_JDK_DIR}/bin/jarsigner
+ ])
+ if ! test -f "${JARSIGNER}"; then
+ AC_PATH_PROG(JARSIGNER, jarsigner,"")
+ fi
+ if ! test -f "${JARSIGNER}"; then
+ JARSIGNER=""
+ fi
+ if test -z "${JARSIGNER}"; then
+ AC_MSG_WARN("jarsigner not found so signed part of run-netx-dist will fail")
+ fi
+ AC_MSG_RESULT(${JARSIGNER})
+ AC_SUBST(JARSIGNER)
+])
+
AC_DEFUN([IT_FIND_JAVADOC],
[
AC_REQUIRE([IT_CHECK_FOR_JDK])
diff -r e9a9792ee189 configure.ac
--- a/configure.ac Thu Sep 15 15:27:40 2011 +0200
+++ b/configure.ac Thu Sep 22 14:29:14 2011 +0200
@@ -33,6 +33,8 @@
FIND_JAR
FIND_ECJ_JAR
IT_FIND_JAVADOC
+IT_FIND_KEYTOOL
+IT_FIND_JARSIGNER
AC_CONFIG_FILES([javac], [chmod +x javac])
IT_SET_VERSION
diff -r e9a9792ee189 tests/jnlp_tests/README
--- a/tests/jnlp_tests/README Thu Sep 15 15:27:40 2011 +0200
+++ b/tests/jnlp_tests/README Thu Sep 22 14:29:14 2011 +0200
@@ -1,2 +1,10 @@
-Each file in directory simple must follows naming convention and is compiled/jared automatically into server's working directory and content of resources likewise. The name of jnlp is independent, and there can be even more jnlps for each future jar. Directories should be honored in srcs and in resources, but noty in testcases.
-Files in advanced directory have to care about themselves, but even those can have some parts inside simple directory, so some parts of them are processed automatically. There are three reproducers – simpletest1, simpletest2 and deadlocktest, which tests test’s suite itself and serve as examples of behaviour.
+Each file in directory simple must follows hierarchy conventions and is compiled/jared
+ automatically into server's working directory and content of resources likewise.
+ The name of jnlp is independent, and there can be even more jnlps for each future jar.
+Directories are honored in srcs and in resources, but noty in testcases.
+Directories in signed hande their content in similar way as simle's content is handled,
+ but in addition final jars are signed with simple testkey.
+Files in advanced directory have to care about themselves, but even those can have some
+ parts inside simple directory, so some parts of them are processed automatically.
+ There are three reproducers – simpletest1, simpletest2 and deadlocktest, which tests
+ test’s suite itself and serve as examples of behaviour.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: signedReproducersExample
Url: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110922/374a5e90/signedReproducersExample.ksh
More information about the distro-pkg-dev
mailing list