Code review request: 7163483 JarSigner -verify -verbose does not format date string according to locale

Jonathan Lu luchsh at linux.vnet.ibm.com
Wed Apr 25 11:09:41 UTC 2012 

Hello Max,

Terribly sorry for my misunderstanding!

On 04/25/2012 05:39 PM, Weijun Wang wrote:
>
>
> On 04/25/2012 05:23 PM, Jonathan Lu wrote:
>> Hi Max,
>>
>> On 04/25/2012 05:12 PM, Weijun Wang wrote:
>>>
>>>
>>> On 04/25/2012 03:28 PM, Jonathan Lu wrote:
>>>> Hi Weijun,
>>>>
>>>> Thanks for your time, I've updated the webrev, could you please take a
>>>> look?
>>>> http://cr.openjdk.java.net/~luchsh/7163483_2/
>>>>
>>>> On 04/24/2012 03:06 PM, Weijun Wang wrote:
>>>>> Hi Jonathan
>>>>>
>>>>> Some comments:
>>>>>
>>>>> 1. Can you be sure that the new format always has the same length?
>>>>> jarsigner tries to output in a tabular style and each column 
>>>>> should be
>>>>> aligned.
>>>>
>>>> I'm not sure of that, so the test case was updated to compare the 
>>>> first
>>>> several tokens to determine whether there's any differences in the
>>>> expression of date time.
>>>
>>> Sorry, I didn't make myself clear last time, I was mainly afraid of
>>> unaligned lines that make the output ugly.
>>>
>>> For example:
>>>
>>> smk 76 Nov 10, 2009 8:57:54 AM bin/vbin/go
>>> smk 1149 Apr 8, 2012 4:03:20 PM bin/vbin/netbeans
>>> smk 170 Nov 20, 2009 4:47:42 PM bin/vbin/syncdown
>>> smk 671 Feb 8, 2012 8:11:22 PM bin/vbin/ssh.desktop
>>> smk 187 Nov 20, 2009 4:47:34 PM bin/vbin/syncsf
>>>
>>
>> I think that would not be a problem in the new test case which compares
>> tokenized strings splited by blank spaces instead of String#equals. Does
>> that make sense?
>
> I'm not talking about the test. It's the output of jarsigner looking 
> ugly.
>
> smk       76 Nov 10, 2009 8:57:54 AM bin/vbin/go
> smk     1149 Apr 8, 2012 4:03:20 PM bin/vbin/netbeans
> smk      170 Nov 20, 2009 4:47:42 PM bin/vbin/syncdown
> smk      671 Feb 8, 2012 8:11:22 PM bin/vbin/ssh.desktop
> smk      187 Nov 20, 2009 4:47:34 PM bin/vbin/syncsf
>
> Compare with the current output:
>
> smk       76 Tue Nov 10 08:57:54 CST 2009 bin/vbin/go
> smk     1149 Sun Apr 08 16:03:20 CST 2012 bin/vbin/netbeans
> smk      170 Fri Nov 20 16:47:42 CST 2009 bin/vbin/syncdown
> smk      671 Wed Feb 08 20:11:22 CST 2012 bin/vbin/ssh.desktop
> smk      187 Fri Nov 20 16:47:34 CST 2009 bin/vbin/syncsf

I did not see unaligned format in my testing, did you get these 
unaligned output after applying the  patch? From above lines, I see the 
starting indices of date string in each line are always the same, which 
is achieved by jarsigner, but the length of the date strings are not the 
same, which locale were you testing on?

>
> Thanks
> Max
>
>>
>>> Thanks
>>> Max
>>>
>>>>
>>>>>
>>>>> 2. You might need to reformat the modified line to make it fit 
>>>>> into 80
>>>>> characters width.
>>>>>
>>>>> 3. Why not include the test inside the changeset?
>>>> 2, 3 were done in the new patch
>>>>>
>>>>> Thanks
>>>>> Max
>>>>>
>>>>>
>>>>> On 04/23/2012 05:46 PM, Jonathan Lu wrote:
>>>>>> Hello security-dev,
>>>>>>
>>>>>> Here's a patch for bug 7163483, could anybody please help to take a
>>>>>> look?
>>>>>> http://cr.openjdk.java.net/~luchsh/7163483/
>>>>>>
>>>>>> The problem is that command "jarsigner -verify -verbose my.jar"
>>>>>> does not
>>>>>> format date string according to current locale. following simple 
>>>>>> test
>>>>>> case can be used to disclose this problem.
>>>>>>
>>>>>> /*
>>>>>> * Copyright (c) 2012 Oracle and/or its affiliates. All rights
>>>>>> reserved.
>>>>>> * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
>>>>>> *
>>>>>> * This code is free software; you can redistribute it and/or 
>>>>>> modify it
>>>>>> * under the terms of the GNU General Public License version 2 
>>>>>> only, as
>>>>>> * published by the Free Software Foundation.
>>>>>> *
>>>>>> * This code is distributed in the hope that it will be useful, but
>>>>>> WITHOUT
>>>>>> * ANY WARRANTY; without even the implied warranty of
>>>>>> MERCHANTABILITY or
>>>>>> * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public 
>>>>>> License
>>>>>> * version 2 for more details (a copy is included in the LICENSE file
>>>>>> that
>>>>>> * accompanied this code).
>>>>>> *
>>>>>> * You should have received a copy of the GNU General Public License
>>>>>> version
>>>>>> * 2 along with this work; if not, write to the Free Software
>>>>>> Foundation,
>>>>>> * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
>>>>>> *
>>>>>> * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 
>>>>>> 94065
>>>>>> USA
>>>>>> * or visit www.oracle.com if you need additional information or
>>>>>> have any
>>>>>> * questions.
>>>>>> */
>>>>>>
>>>>>> /*
>>>>>> * Portions Copyright (c) 2012 IBM Corporation
>>>>>> */
>>>>>>
>>>>>>
>>>>>> import java.io.ByteArrayOutputStream;
>>>>>> import java.io.PrintStream;
>>>>>> import java.util.Locale;
>>>>>> import sun.security.tools.JarSigner;
>>>>>>
>>>>>> public class bug7163483 {
>>>>>>
>>>>>> public static void main(String[] args) throws Exception {
>>>>>> final String[] arg = { "-verify", "-verbose",
>>>>>> System.getProperty("java.home")+"/lib/jce.jar"};
>>>>>>
>>>>>> ByteArrayOutputStream stream = new ByteArrayOutputStream(1024*64);
>>>>>> PrintStream out = new PrintStream(stream);
>>>>>> System.setOut(out);
>>>>>>
>>>>>> Locale.setDefault(Locale.GERMAN);
>>>>>> JarSigner js = new JarSigner();
>>>>>> js.run(arg);
>>>>>>
>>>>>> out.flush();
>>>>>> String s1 = stream.toString();
>>>>>> s1 = s1.substring(0, s1.length()/2);
>>>>>> stream.reset();
>>>>>>
>>>>>> Locale.setDefault(Locale.FRANCE);
>>>>>> js = new JarSigner();
>>>>>> js.run(arg);
>>>>>>
>>>>>> out.flush();
>>>>>> String s2 = stream.toString();
>>>>>> s2 = s2.substring(0, s2.length()/2);
>>>>>>
>>>>>> if (s1.equals(s2)) {
>>>>>> System.err.println("Header output for GERMAN locale is:"+s1);
>>>>>> System.err.println("Header output for FRANCE locale is:"+s2);
>>>>>> throw new RuntimeException(
>>>>>> "JarSigner verbose outputs are the same after setting locale!!");
>>>>>> } else {
>>>>>> System.err.println("Header output for GERMAN locale is:"+s1);
>>>>>> System.err.println("Header output for FRANCE locale is:"+s2);
>>>>>> System.err.println("Test passed!");
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> Thanks and best regards!
>>>>>> - Jonathan Lu
>>>>>>
>>>>>
>>>>
>>>> Best regards!
>>>> - Jonathan
>>>>
>>>
>> Thanks & regards!
>> - Jonathan
>>
>

Thanks
- Jonathan

More information about the security-dev mailing list