RFR 8169911: Enhanced tests for jarsigner -verbose -verify after JDK-8163304

Amanda Jiang amanda.jiang at oracle.com
Tue Nov 22 05:48:32 UTC 2016 

Hi Max,

Thanks for your comments, the webrev below addressed all the issues you 
mentioned, please check and let me know if there are any problem.

http://cr.openjdk.java.net/~amjiang/8169911/webrev.02/

Thanks,
Amanda


On 11/18/16 11:37 PM, Wang Weijun wrote:

> Hi Amanda
>
> - There are many duplicates in signWithAlias() and sign(). I think it's better to make one based on the other. Maybe signWithAliasAndTsa() and sign().
>
> - checkWeak2() is about combinations of weak/strong algs in a single signer. I'd rather it be an individual test case, and not as a step in multiple signers. The name is not meaningful enough. Maybe checkHalfWeak()?
>
> - About multiple signers:
>
>    On lines 356 and 364, I suggest using different names for signed jar and original jar. This makes debugging easier when there is a failure.
>
>    IMO it's not worth writing different checkComb() and checkComb2(). As long as the output contains "weak" we know the weak algorithm is also printed out. What we need to cover are:
>
>     1) it's treated as verified if at least one is strong (you already covered it)
>
>     2) it has only 1 verified signer, this should be shown with both -verbose and -certs. You can see there is only one certificate shown. Or you can use JarFile API to open the jar file and check the length of JarEntry::getCodeSigner().
>
>     3) the history shows 2 signers, this can be provide by 2 "Signed by" lines.
>
>    I'd suggest checkComb() be renamed to checkMultiple().
>
> Thanks
> Max
>
>> On Nov 19, 2016, at 8:38 AM, Amanda Jiang <amanda.jiang at oracle.com> wrote:
>>
>> HI All,
>> Please help to review following code change:
>>    webrev:  http://cr.openjdk.java.net/~amjiang/8169911/webrev.01/
>>    bug: https://bugs.openjdk.java.net/browse/JDK-8169911
>>
>> This change enhances test case for JDK-8163304 by covering following cases:
>>    - Multiple signers (signed by jarsigner twice using different aliases)
>>    - Combinations of weak/strong -digestalg, -tsadigestalg and -sigalg
>>    - Signing with DSA keys
>>
>> Thanks,
>> Amanda

More information about the security-dev mailing list