RFR JDK-8179614: Test for jarsigner on verifying jars that are signed and timestamped by other JDK releases
Sean Mullan
sean.mullan at oracle.com
Tue Jun 6 20:27:18 UTC 2017
Hi John,
This looks like a very useful test. I have not gone through all of the
code, but here are a few comments for now until I have more time:
- add tests for EC keys
- add tests for SHA-512 variants of the signature algorithms
- add tests for larger key sizes (ex: 2048 for DSA/RSA)
- you can use the diamond operator <> in various places
- might be more compact if jdkList() used Files.lines() to parse the
file into a stream then an array
- did you consider using the jarsigner API (jdk.security.jarsigner)
instead of the command-line? I think this would be better (if possible)
and it would give us some more tests of that API.
--Sean
On 6/5/17 6:31 AM, sha.jiang at oracle.com wrote:
> Hi,
> Please review this manual test for checking if a jar, which is signed
> and timestamped by a JDK build, could be verified by other JDK builds.
> It also can be used to check if the default timestamp digest algorithm
> on signing is SHA-256.
> For more details, please look through the test summary.
>
> Issue: https://bugs.openjdk.java.net/browse/JDK-8179614
> Webrev: http://cr.openjdk.java.net/~jjiang/8179614/webrev.00/
>
> Best regards,
> John Jiang
>
More information about the security-dev
mailing list