[icedtea-web][rfc] Reproducer for PR1112

Jiri Vanek jvanek at redhat.com
Tue Aug 21 04:45:15 PDT 2012


On 08/20/2012 08:11 PM, Adam Domurad wrote:
> Hi all. This reproduces the problem behind PR1112, icedtea-web fails to
> load a main-class from a signed jar that points to another jar via
> META-INF/INDEX.LIST. This only occurs for signed jars and only when the
> main class is in the jar loaded by INDEX.LIST

Good reproducer, thanx for it. Except the issue with "in tmp compilation" just few minor stuff and 
one issue with certificate.

I would recommend to wait with push until the "tmp issue" is resolved.  Also before push, please do 
not forget changelog or hg add ;) (and do not add to much ;)
>
..loong snip...
> +    public static void main(String[] args) {
> +        System.out.println("Program Executed Correctly.");
> +    }
> +}
> diff --git a/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/srcs/Makefile b/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/srcs/Makefile
> new file mode 100644
> --- /dev/null
> +++ b/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/srcs/Makefile
> @@ -0,0 +1,66 @@
> +TESTNAME=AdditionalJarsInMetaInfIndexList
> +ARCHIVE_TEST_FOLDER=archive_tag_folder_test
> +
> +JAVAC_CLASSPATH=$(JNLP_TESTS_ENGINE_DIR):$(NETX_DIR)/lib/classes.jar
> +KEYTOOL=$(BOOT_DIR)/bin/keytool
> +JARSIGNER=$(BOOT_DIR)/bin/jarsigner
> +JAVAC=$(BOOT_DIR)/bin/javac
> +JAR=$(BOOT_DIR)/bin/jar
> +
> +# File used because the 'jar' command does not accept an empty file
> +DUMMY_FILE=jar_dummy_content
> +
> +# Index jar causes main class jar to load
> +INDEX_JAR_UNSIGNED=AdditionalJarsInMetaInfIndexListUnsigned.jar
> +INDEX_JAR_SIGNED=AdditionalJarsInMetaInfIndexListSigned.jar
> +
> +MAINCLASS=LoadedViaMetaInfIndexList
> +
> +MAINCLASS_JAR_UNSIGNED=LoadedViaMetaInfIndexListUnsigned.jar
> +MAINCLASS_JAR_SIGNED=LoadedViaMetaInfIndexListSigned.jar
> +
> +KEYALIAS=$(TESTNAME)_alias
> +KEYSTORE=$(PRIVATE_KEYSTORE_NAME)
> +
> +prepare-reproducer:
> +	echo PREPARING REPRODUCER $(TESTNAME)
> +	$(JAVAC) -classpath $(JAVAC_CLASSPATH) $(MAINCLASS).java
> +	echo "This file exists because jar command does not take 0 args" > $(DUMMY_FILE)
> +	
> +	# Create the jar which has INDEX.LIST
> +	$(JAR) cvf $(INDEX_JAR_UNSIGNED) $(DUMMY_FILE)
> +	$(JAR) cvf $(INDEX_JAR_SIGNED) $(DUMMY_FILE)
> +	
> +	# Create the jar which has the main-class
> +	$(JAR) cvf $(MAINCLASS_JAR_UNSIGNED) $(MAINCLASS).class
> +	$(JAR) cvf $(MAINCLASS_JAR_SIGNED) $(MAINCLASS).class
> +	
> +	# Update JAR_WITH_INDEX_LIST's index
> +	$(JAR) i $(INDEX_JAR_UNSIGNED) $(MAINCLASS_JAR_UNSIGNED)
> +	$(JAR) i $(INDEX_JAR_SIGNED) $(MAINCLASS_JAR_SIGNED)
> +	
> +	# Sign the signed jars
> +	
> +	tcaw=$(KEYALIAS) ;\
> +	$(BOOT_DIR)/bin/keytool -genkey -alias $$tcaw -keystore $(KEYSTORE) -keypass $(PRIVATE_KEYSTORE_PASS) \
> +	 	-storepass $(PRIVATE_KEYSTORE_PASS) -dname "cn=$$tcaw, ou=$$tcaw, o=$$tcaw, c=$$tcaw" ; \
> +	for jar_to_sign in $(MAINCLASS_JAR_SIGNED) $(INDEX_JAR_SIGNED); do \
> +	   $(BOOT_DIR)/bin/jarsigner -keystore $(KEYSTORE) -storepass $(PRIVATE_KEYSTORE_PASS) \
> +		-keypass $(PRIVATE_KEYSTORE_PASS) "$$jar_to_sign"  $$tcaw ; \
> +	done
> +	
> +	# Move jars into deployment directory
> +	mv $(INDEX_JAR_UNSIGNED) $(JNLP_TESTS_SERVER_DEPLOYDIR)
> +	mv $(INDEX_JAR_SIGNED) $(JNLP_TESTS_SERVER_DEPLOYDIR)
> +	mv $(MAINCLASS_JAR_UNSIGNED) $(JNLP_TESTS_SERVER_DEPLOYDIR)
> +	mv $(MAINCLASS_JAR_SIGNED) $(JNLP_TESTS_SERVER_DEPLOYDIR)
> +	
> +	echo PREPARED REPRODUCER $(TESTNAME)
> +
> +clean-reproducer:
> +	echo CLEANING REPRODUCER $(TESTNAME)
> +	rm $(MAINCLASS).class
> +	rm $(DUMMY_FILE)
> +	rm $(KEYSTORE)
> +	echo CLEANED REPRODUCER $(TESTNAME)
> +

Just ensuring - all variables used here are correctly exported yap?

Is there any reason why not to reuse already existing certificate? The keystores should be existing 
in time of custom reproducers prepare phase - if they are not, then it is bug.
I would strongly recommend to reuse certificate - you will be spared of a lot of work imho.
If yo need to export some more variables for your reproducer, feel free to do so!

Also  do not forget that there is possibility to have more signed directorates and each one have its 
own certificate - just reminding it (as name of certificate can be misleading then) - 
http://icedtea.classpath.org/hg/icedtea-web/rev/017d474ea1e5  :)

> diff --git a/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/testcases/AdditionalJarsInMetaInfIndexListTests.java b/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/testcases/AdditionalJarsInMetaInfIndexListTests.java
> new file mode 100644
> --- /dev/null
...
> +
> +import org.junit.Test;
> +
> +public class AdditionalJarsInMetaInfIndexListTests extends BrowserTest {
> +
> +    private static ServerAccess server = new ServerAccess();
> +    private static final List<String> TRUSTALL = Collections.unmodifiableList(Arrays.asList(new String[] { "-Xtrustall" }));
> +
> +    @Test
> +    @Bug(id = "PR1112")
> +    public void SignedMetaInfIndexListTest() throws Exception {
> +        final String CORRECT_EXEC = "Program Executed Correctly.";
> +        ProcessResult pr = server.executeJavawsHeadless(null, "/AdditionalJarsInMetaInfIndexListSigned.jnlp");

You do not need this null
There should be just server.executeJavawsHeadless("/AdditionalJarsInMetaInfIndexListSigned.jnlp"); 
possibility.

But as you wish;)

> +        assertTrue("LoadedViaMetaInfIndexList's stdout should contain " + CORRECT_EXEC + " but did not.", pr.stdout.contains(CORRECT_EXEC));
> +    }
> +
> +    @Test
> +    public void UnsignedMetaInfIndexListTest() throws Exception {
> +        final String CORRECT_EXEC = "Program Executed Correctly.";
> +        ProcessResult pr = server.executeJavawsHeadless(TRUSTALL, "/AdditionalJarsInMetaInfIndexListUnsigned.jnlp");
> +        assertTrue("LoadedViaMetaInfIndexList's stdout should contain " + CORRECT_EXEC + " but did not.", pr.stdout.contains(CORRECT_EXEC));
> +    }
> +}
>


Best regards from CZ,
    J.



More information about the distro-pkg-dev mailing list