[9] request for review: 8049171: Additional tests for jarsigner's warnings

Wang Weijun weijun.wang at oracle.com
Fri Jan 23 02:18:35 UTC 2015

> On Jan 22, 2015, at 19:40, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
>> I am not sure if I understand updateJar correctly. It looks like srcJarFile is opened multiple times so its entries are duplicated a lot in the destination. Or is there a secret break?
> There is no any secret, just a bug. It is not necessary to open srcJarFile multiple times.
> I have updated the webrev, updateJar() method does the following:
> - creates a new jar file (destJarFilename)
> - puts files which are specified in files parameter to destJarFilename
> - copies files from srcJarFilename to destJarFilename if they are no files with the same names in destJarFilename

The process above means the new files are added at the beginning. While jarsigner is able to verify such a file (it uses JarFile) the output is actually invalid because the MANIFEST and the signature files must be at the beginning (otherwise a JarInputStream cannot verify it).

The "jar u" way is to copy each old entry into destination unless the entry name is in the updated list where the new file will be read. Finally the untouched files in the updated list are appended.

> Here is an updated webrev with your suggested changes and a couple of others:
> - added @ignore tag for BadKeyUsageTest since it fails due to a bug in JDK
> - updated MultipleWarningsTest test to check ExtendedKeyUsage case instead of KeyUsage



> http://cr.openjdk.java.net/~asmotrak/8049171/webrev.01/

More information about the security-dev mailing list