[jdk8u-dev] RFR: 8269039: Disable SHA-1 Signed JARs [v2]
Alexey Bakhtin
abakhtin at openjdk.org
Wed Nov 16 15:58:25 UTC 2022
On Tue, 15 Nov 2022 16:52:35 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision:
>>
>> test fixes
>
> Hi @alexeybakhtin ,
>
> Thanks for proposing this backport.
>
> In addition to the inlined comments, I have this additional observation:
>
> * `jdk/test/sun/security/tools/jarsigner/oldsig.sh` is using SHA1, as well as JDK-11's OldSig.java. The security properties file that is now passed has the following comment: "Re-enable SHA-1 since OldSig.java test uses it". You mentioned 8217375 as the reason why changes are not required for the backport, but I'm having difficulties to find the connection and wonder if we should re-enable SHA1 for `oldsig.sh`. Can you please elaborate a bit on this?
>
> Thanks,
> Martin.-
Hello @martinuy
> jdk/test/java/security/Security/signedfirst/DynStatic.java line 36:
>
>> 34: import java.util.List;
>> 35:
>> 36: import jdk.test.lib.process.ProcessTools;
>
> The `ProcessTools` class in JDK-8 has always been `jdk.testlibrary.ProcessTools`. To use it, you would only need `@library /lib/testlibrary` in the test's JTREG header. Unfortunately, one backport -which I presume to be JFR- introduced the same class, from a newer JDK release, at a different location. So we now have duplicated code for this test library and it is causing confusion: I can now see a couple of TLS test using this library when they shouldn't. Until we get rid of this technical debt, I suggest that all JDK-8 tests keep using `jdk.testlibrary.ProcessTools`.
Thank you. You are right. jdk.testlibrary.ProcessTools is a better choice even if some modifications are required.
Fixed
> jdk/test/sun/security/tools/jarsigner/TimestampCheck.java line 461:
>
>> 459: .shouldMatch("Timestamp.*digest.*SHA-1.*(disabled)");
>> 460:
>> 461: // Disabled algorithms
>
> Isn't this comment removed?
Thank you. Fixed
-------------
PR: https://git.openjdk.org/jdk8u-dev/pull/154
More information about the jdk8u-dev
mailing list