code review request: 7081783: jarsigner error when no $HOME/.keystore

Xuelei Fan xuelei.fan at oracle.com
Tue Aug 30 13:52:29 UTC 2011 

1. Do you want to add more debug info? line 1509-1511:
+            if (debug) {
+                e.printStackTrace();
+            }

2. It looks a little strange to me that even if there is Runtime
exception, we still do some additional work in final block.

3. I try hard to understand the code how to solve the issue. It is not
easy for me to understand why the update works. I'm thinking, is it
possible to ignore user_home/.keystore instead of try to load it when
the file does not exist (File.exists() or catch FileNotFoundException, etc)?

   The current logic is, "loading keystore from user_home/.keystore".
Can we change to use a refined logic, "if user_home/.keystore exists, we
load the keysore; otherwise, ignore it". I'm not sure the new logic get
the code more complicated, or more intuitive.

Xuelei

On 8/30/2011 12:56 PM, Weijun Wang wrote:
> Hi All
> 
> 7081783: jarsigner error when no $HOME/.keystore
> 
> Webrev is at --
>    http://cr.openjdk.java.net/~weijun/7081783/webrev.00/
> 
> Description:
> 
> jarsigner includes a certpath validation check, and shows a warning when
> the check fails. The CertPathValidator object, unfortunately, is
> initialized in a method that can only be executed if a local keystore is
> found (either ~/.keystore or specified by -keystore). Therefore, if
> there is no local keystore but the jarfile's signer can be directly
> verified by a cert in cacerts, we still see:
> 
>    Warning:
>    This jar contains entries whose certificate chain is not validated.
> 
> The code changes make sure the CertPathValidator object is always
> initialized.
> 
> For reg test, it's a simple call --
> 
> ${TESTJAVA}${FS}bin${FS}jarsigner \
>         -J-Duser.home=. \
>         -verify -strict ${TESTSRC}${FS}bootstrap.jar
> 
> Here I override user.home so that even if the test machine has a
> ./keystore, it won't be affected. The bootstrap.jar file is a small
> signed jar that is signed by a real CA that can be chained into an item
> in cacerts.
> 
> Thanks
> Max
>

More information about the security-dev mailing list