[icedtea-web][rfc] Reproducer for PR1112

Adam Domurad adomurad at redhat.com
Mon Aug 27 12:22:52 PDT 2012 

Updated patch attached. 

On Tue, 2012-08-21 at 13:45 +0200, Jiri Vanek wrote:
> On 08/20/2012 08:11 PM, Adam Domurad wrote:
> > Hi all. This reproduces the problem behind PR1112, icedtea-web fails to
> > load a main-class from a signed jar that points to another jar via
> > META-INF/INDEX.LIST. This only occurs for signed jars and only when the
> > main class is in the jar loaded by INDEX.LIST
> 
> Good reproducer, thanx for it. Except the issue with "in tmp compilation" just few minor stuff and 
> one issue with certificate.
> 
> I would recommend to wait with push until the "tmp issue" is resolved.  Also before push, please do 
> not forget changelog or hg add ;) (and do not add to much ;)

I have attempted a make in a temporary directory. Attached is how the
new patch looks. There is some added complexity due to the fact that
makefiles do not respond to 'cd' unless you string together commands
with ";\". Please comment if you think the (slight) added complexity is
worthwhile. I think its fine if a little bit error prone. 

> >
> ..loong snip...
> > +    public static void main(String[] args) {
> > +        System.out.println("Program Executed Correctly.");
> > +    }
> > +}
> > diff --git a/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/srcs/Makefile b/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/srcs/Makefile
> > new file mode 100644
> > --- /dev/null
> > +++ b/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/srcs/Makefile
> > @@ -0,0 +1,66 @@
> > +TESTNAME=AdditionalJarsInMetaInfIndexList
> > +ARCHIVE_TEST_FOLDER=archive_tag_folder_test
> > +
> > +JAVAC_CLASSPATH=$(JNLP_TESTS_ENGINE_DIR):$(NETX_DIR)/lib/classes.jar
> > +KEYTOOL=$(BOOT_DIR)/bin/keytool
> > +JARSIGNER=$(BOOT_DIR)/bin/jarsigner
> > +JAVAC=$(BOOT_DIR)/bin/javac
> > +JAR=$(BOOT_DIR)/bin/jar
> > +
> > +# File used because the 'jar' command does not accept an empty file
> > +DUMMY_FILE=jar_dummy_content
> > +
> > +# Index jar causes main class jar to load
> > +INDEX_JAR_UNSIGNED=AdditionalJarsInMetaInfIndexListUnsigned.jar
> > +INDEX_JAR_SIGNED=AdditionalJarsInMetaInfIndexListSigned.jar
> > +
> > +MAINCLASS=LoadedViaMetaInfIndexList
> > +
> > +MAINCLASS_JAR_UNSIGNED=LoadedViaMetaInfIndexListUnsigned.jar
> > +MAINCLASS_JAR_SIGNED=LoadedViaMetaInfIndexListSigned.jar
> > +
> > +KEYALIAS=$(TESTNAME)_alias
> > +KEYSTORE=$(PRIVATE_KEYSTORE_NAME)
> > +
> > +prepare-reproducer:
> > +	echo PREPARING REPRODUCER $(TESTNAME)
> > +	$(JAVAC) -classpath $(JAVAC_CLASSPATH) $(MAINCLASS).java
> > +	echo "This file exists because jar command does not take 0 args" > $(DUMMY_FILE)
> > +	
> > +	# Create the jar which has INDEX.LIST
> > +	$(JAR) cvf $(INDEX_JAR_UNSIGNED) $(DUMMY_FILE)
> > +	$(JAR) cvf $(INDEX_JAR_SIGNED) $(DUMMY_FILE)
> > +	
> > +	# Create the jar which has the main-class
> > +	$(JAR) cvf $(MAINCLASS_JAR_UNSIGNED) $(MAINCLASS).class
> > +	$(JAR) cvf $(MAINCLASS_JAR_SIGNED) $(MAINCLASS).class
> > +	
> > +	# Update JAR_WITH_INDEX_LIST's index
> > +	$(JAR) i $(INDEX_JAR_UNSIGNED) $(MAINCLASS_JAR_UNSIGNED)
> > +	$(JAR) i $(INDEX_JAR_SIGNED) $(MAINCLASS_JAR_SIGNED)
> > +	
> > +	# Sign the signed jars
> > +	
> > +	tcaw=$(KEYALIAS) ;\
> > +	$(BOOT_DIR)/bin/keytool -genkey -alias $$tcaw -keystore $(KEYSTORE) -keypass $(PRIVATE_KEYSTORE_PASS) \
> > +	 	-storepass $(PRIVATE_KEYSTORE_PASS) -dname "cn=$$tcaw, ou=$$tcaw, o=$$tcaw, c=$$tcaw" ; \
> > +	for jar_to_sign in $(MAINCLASS_JAR_SIGNED) $(INDEX_JAR_SIGNED); do \
> > +	   $(BOOT_DIR)/bin/jarsigner -keystore $(KEYSTORE) -storepass $(PRIVATE_KEYSTORE_PASS) \
> > +		-keypass $(PRIVATE_KEYSTORE_PASS) "$$jar_to_sign"  $$tcaw ; \
> > +	done
> > +	
> > +	# Move jars into deployment directory
> > +	mv $(INDEX_JAR_UNSIGNED) $(JNLP_TESTS_SERVER_DEPLOYDIR)
> > +	mv $(INDEX_JAR_SIGNED) $(JNLP_TESTS_SERVER_DEPLOYDIR)
> > +	mv $(MAINCLASS_JAR_UNSIGNED) $(JNLP_TESTS_SERVER_DEPLOYDIR)
> > +	mv $(MAINCLASS_JAR_SIGNED) $(JNLP_TESTS_SERVER_DEPLOYDIR)
> > +	
> > +	echo PREPARED REPRODUCER $(TESTNAME)
> > +
> > +clean-reproducer:
> > +	echo CLEANING REPRODUCER $(TESTNAME)
> > +	rm $(MAINCLASS).class
> > +	rm $(DUMMY_FILE)
> > +	rm $(KEYSTORE)
> > +	echo CLEANED REPRODUCER $(TESTNAME)
> > +
> 
> Just ensuring - all variables used here are correctly exported yap?
yes
> 
> Is there any reason why not to reuse already existing certificate? The keystores should be existing 
> in time of custom reproducers prepare phase - if they are not, then it is bug.
> I would strongly recommend to reuse certificate - you will be spared of a lot of work imho.
> If yo need to export some more variables for your reproducer, feel free to do so!
The new patch exports TOP_BUILD_DIR=abs_top_build_dir. Please comment on
the name/appropriateness of exporting this.
> 
> Also  do not forget that there is possibility to have more signed directorates and each one have its 
> own certificate - just reminding it (as name of certificate can be misleading then) - 
> http://icedtea.classpath.org/hg/icedtea-web/rev/017d474ea1e5  :)
> 
> > diff --git a/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/testcases/AdditionalJarsInMetaInfIndexListTests.java b/tests/reproducers/custom/AdditionalJarsInMetaInfIndexList/testcases/AdditionalJarsInMetaInfIndexListTests.java
> > new file mode 100644
> > --- /dev/null
> ...
> > +
> > +import org.junit.Test;
> > +
> > +public class AdditionalJarsInMetaInfIndexListTests extends BrowserTest {
> > +
> > +    private static ServerAccess server = new ServerAccess();
> > +    private static final List<String> TRUSTALL = Collections.unmodifiableList(Arrays.asList(new String[] { "-Xtrustall" }));
> > +
> > +    @Test
> > +    @Bug(id = "PR1112")
> > +    public void SignedMetaInfIndexListTest() throws Exception {
> > +        final String CORRECT_EXEC = "Program Executed Correctly.";
> > +        ProcessResult pr = server.executeJavawsHeadless(null, "/AdditionalJarsInMetaInfIndexListSigned.jnlp");
> 
> You do not need this null
> There should be just server.executeJavawsHeadless("/AdditionalJarsInMetaInfIndexListSigned.jnlp"); 
> possibility.
> 
> But as you wish;)
Removed
> 
> > +        assertTrue("LoadedViaMetaInfIndexList's stdout should contain " + CORRECT_EXEC + " but did not.", pr.stdout.contains(CORRECT_EXEC));
> > +    }
> > +
> > +    @Test
> > +    public void UnsignedMetaInfIndexListTest() throws Exception {
> > +        final String CORRECT_EXEC = "Program Executed Correctly.";
> > +        ProcessResult pr = server.executeJavawsHeadless(TRUSTALL, "/AdditionalJarsInMetaInfIndexListUnsigned.jnlp");
> > +        assertTrue("LoadedViaMetaInfIndexList's stdout should contain " + CORRECT_EXEC + " but did not.", pr.stdout.contains(CORRECT_EXEC));
> > +    }
> > +}
> >
> 
> 
> Best regards from CZ,
>     J.
Thanks for the quality control!
- Adam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jars-from-index-list2.patch
Type: text/x-patch
Size: 14312 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120827/5ee5f75c/jars-from-index-list2.patch

More information about the distro-pkg-dev mailing list