Code review request: 7163483 JarSigner -verify -verbose does not format date string according to locale

Weijun Wang weijun.wang at oracle.com
Wed Apr 25 11:48:38 UTC 2012 

Hi Jonathan

I'm using English.

In your test all the files have a similar modified time so you cannot 
see the difference. However, in my example, you can see that the widths 
for date and hour are not zero-padded so the width can be either 1 or 2.

French is even worse

smk       76 10 nov. 2009 08:57:54 bin/vbin/go
smk     1149 8 avr. 2012 16:03:20 bin/vbin/netbeans
smk      170 20 nov. 2009 16:47:42 bin/vbin/syncdown
smk      671 8 févr. 2012 20:11:22 bin/vbin/ssh.desktop
smk      187 20 nov. 2009 16:47:34 bin/vbin/syncsf

So here even the width of month abbr can be different.

Thanks
Max


On 04/25/2012 07:09 PM, Jonathan Lu wrote:
> Hello Max,
>
> Terribly sorry for my misunderstanding!
>
> On 04/25/2012 05:39 PM, Weijun Wang wrote:
>>
>>
>> On 04/25/2012 05:23 PM, Jonathan Lu wrote:
>>> Hi Max,
>>>
>>> On 04/25/2012 05:12 PM, Weijun Wang wrote:
>>>>
>>>>
>>>> On 04/25/2012 03:28 PM, Jonathan Lu wrote:
>>>>> Hi Weijun,
>>>>>
>>>>> Thanks for your time, I've updated the webrev, could you please take a
>>>>> look?
>>>>> http://cr.openjdk.java.net/~luchsh/7163483_2/
>>>>>
>>>>> On 04/24/2012 03:06 PM, Weijun Wang wrote:
>>>>>> Hi Jonathan
>>>>>>
>>>>>> Some comments:
>>>>>>
>>>>>> 1. Can you be sure that the new format always has the same length?
>>>>>> jarsigner tries to output in a tabular style and each column
>>>>>> should be
>>>>>> aligned.
>>>>>
>>>>> I'm not sure of that, so the test case was updated to compare the
>>>>> first
>>>>> several tokens to determine whether there's any differences in the
>>>>> expression of date time.
>>>>
>>>> Sorry, I didn't make myself clear last time, I was mainly afraid of
>>>> unaligned lines that make the output ugly.
>>>>
>>>> For example:
>>>>
>>>> smk 76 Nov 10, 2009 8:57:54 AM bin/vbin/go
>>>> smk 1149 Apr 8, 2012 4:03:20 PM bin/vbin/netbeans
>>>> smk 170 Nov 20, 2009 4:47:42 PM bin/vbin/syncdown
>>>> smk 671 Feb 8, 2012 8:11:22 PM bin/vbin/ssh.desktop
>>>> smk 187 Nov 20, 2009 4:47:34 PM bin/vbin/syncsf
>>>>
>>>
>>> I think that would not be a problem in the new test case which compares
>>> tokenized strings splited by blank spaces instead of String#equals. Does
>>> that make sense?
>>
>> I'm not talking about the test. It's the output of jarsigner looking
>> ugly.
>>
>> smk 76 Nov 10, 2009 8:57:54 AM bin/vbin/go
>> smk 1149 Apr 8, 2012 4:03:20 PM bin/vbin/netbeans
>> smk 170 Nov 20, 2009 4:47:42 PM bin/vbin/syncdown
>> smk 671 Feb 8, 2012 8:11:22 PM bin/vbin/ssh.desktop
>> smk 187 Nov 20, 2009 4:47:34 PM bin/vbin/syncsf
>>
>> Compare with the current output:
>>
>> smk 76 Tue Nov 10 08:57:54 CST 2009 bin/vbin/go
>> smk 1149 Sun Apr 08 16:03:20 CST 2012 bin/vbin/netbeans
>> smk 170 Fri Nov 20 16:47:42 CST 2009 bin/vbin/syncdown
>> smk 671 Wed Feb 08 20:11:22 CST 2012 bin/vbin/ssh.desktop
>> smk 187 Fri Nov 20 16:47:34 CST 2009 bin/vbin/syncsf
>
> I did not see unaligned format in my testing, did you get these
> unaligned output after applying the patch? From above lines, I see the
> starting indices of date string in each line are always the same, which
> is achieved by jarsigner, but the length of the date strings are not the
> same, which locale were you testing on?
>
>>
>> Thanks
>> Max
>>
>>>
>>>> Thanks
>>>> Max
>>>>
>>>>>
>>>>>>
>>>>>> 2. You might need to reformat the modified line to make it fit
>>>>>> into 80
>>>>>> characters width.
>>>>>>
>>>>>> 3. Why not include the test inside the changeset?
>>>>> 2, 3 were done in the new patch
>>>>>>
>>>>>> Thanks
>>>>>> Max
>>>>>>
>>>>>>
>>>>>> On 04/23/2012 05:46 PM, Jonathan Lu wrote:
>>>>>>> Hello security-dev,
>>>>>>>
>>>>>>> Here's a patch for bug 7163483, could anybody please help to take a
>>>>>>> look?
>>>>>>> http://cr.openjdk.java.net/~luchsh/7163483/
>>>>>>>
>>>>>>> The problem is that command "jarsigner -verify -verbose my.jar"
>>>>>>> does not
>>>>>>> format date string according to current locale. following simple
>>>>>>> test
>>>>>>> case can be used to disclose this problem.
>>>>>>>
>>>>>>> /*
>>>>>>> * Copyright (c) 2012 Oracle and/or its affiliates. All rights
>>>>>>> reserved.
>>>>>>> * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
>>>>>>> *
>>>>>>> * This code is free software; you can redistribute it and/or
>>>>>>> modify it
>>>>>>> * under the terms of the GNU General Public License version 2
>>>>>>> only, as
>>>>>>> * published by the Free Software Foundation.
>>>>>>> *
>>>>>>> * This code is distributed in the hope that it will be useful, but
>>>>>>> WITHOUT
>>>>>>> * ANY WARRANTY; without even the implied warranty of
>>>>>>> MERCHANTABILITY or
>>>>>>> * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
>>>>>>> License
>>>>>>> * version 2 for more details (a copy is included in the LICENSE file
>>>>>>> that
>>>>>>> * accompanied this code).
>>>>>>> *
>>>>>>> * You should have received a copy of the GNU General Public License
>>>>>>> version
>>>>>>> * 2 along with this work; if not, write to the Free Software
>>>>>>> Foundation,
>>>>>>> * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
>>>>>>> *
>>>>>>> * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA
>>>>>>> 94065
>>>>>>> USA
>>>>>>> * or visit www.oracle.com if you need additional information or
>>>>>>> have any
>>>>>>> * questions.
>>>>>>> */
>>>>>>>
>>>>>>> /*
>>>>>>> * Portions Copyright (c) 2012 IBM Corporation
>>>>>>> */
>>>>>>>
>>>>>>>
>>>>>>> import java.io.ByteArrayOutputStream;
>>>>>>> import java.io.PrintStream;
>>>>>>> import java.util.Locale;
>>>>>>> import sun.security.tools.JarSigner;
>>>>>>>
>>>>>>> public class bug7163483 {
>>>>>>>
>>>>>>> public static void main(String[] args) throws Exception {
>>>>>>> final String[] arg = { "-verify", "-verbose",
>>>>>>> System.getProperty("java.home")+"/lib/jce.jar"};
>>>>>>>
>>>>>>> ByteArrayOutputStream stream = new ByteArrayOutputStream(1024*64);
>>>>>>> PrintStream out = new PrintStream(stream);
>>>>>>> System.setOut(out);
>>>>>>>
>>>>>>> Locale.setDefault(Locale.GERMAN);
>>>>>>> JarSigner js = new JarSigner();
>>>>>>> js.run(arg);
>>>>>>>
>>>>>>> out.flush();
>>>>>>> String s1 = stream.toString();
>>>>>>> s1 = s1.substring(0, s1.length()/2);
>>>>>>> stream.reset();
>>>>>>>
>>>>>>> Locale.setDefault(Locale.FRANCE);
>>>>>>> js = new JarSigner();
>>>>>>> js.run(arg);
>>>>>>>
>>>>>>> out.flush();
>>>>>>> String s2 = stream.toString();
>>>>>>> s2 = s2.substring(0, s2.length()/2);
>>>>>>>
>>>>>>> if (s1.equals(s2)) {
>>>>>>> System.err.println("Header output for GERMAN locale is:"+s1);
>>>>>>> System.err.println("Header output for FRANCE locale is:"+s2);
>>>>>>> throw new RuntimeException(
>>>>>>> "JarSigner verbose outputs are the same after setting locale!!");
>>>>>>> } else {
>>>>>>> System.err.println("Header output for GERMAN locale is:"+s1);
>>>>>>> System.err.println("Header output for FRANCE locale is:"+s2);
>>>>>>> System.err.println("Test passed!");
>>>>>>> }
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> Thanks and best regards!
>>>>>>> - Jonathan Lu
>>>>>>>
>>>>>>
>>>>>
>>>>> Best regards!
>>>>> - Jonathan
>>>>>
>>>>
>>> Thanks & regards!
>>> - Jonathan
>>>
>>
>
> Thanks
> - Jonathan
>

More information about the security-dev mailing list