RFR JDK-8179614: Test for jarsigner on verifying jars that are signed and timestamped by other JDK releases

Weijun Wang weijun.wang at oracle.com
Wed Jun 7 01:55:24 UTC 2017 


On 06/07/2017 09:14 AM, sha.jiang at oracle.com wrote:
> Hi Sean,
> 
> On 07/06/2017 04:27, Sean Mullan wrote:
>> Hi John,
>>
>> This looks like a very useful test. I have not gone through all of the 
>> code, but here are a few comments for now until I have more time:
>>
>> - add tests for EC keys
>> - add tests for SHA-512 variants of the signature algorithms
>> - add tests for larger key sizes (ex: 2048 for DSA/RSA)
>> - you can use the diamond operator <> in various places
>> - might be more compact if jdkList() used Files.lines() to parse the 
>> file into a stream then an array
> I did consider about the above two points. Because the test will be 
> backported to JDK 6, so I only used the features those supported by JDK 6.
> I supposed that would make the backport easier. Does it make sense?

I think this depends on how one plans to run this test. If the "neither 
of jdkListFile and jdkList is specified" case is very useful, then it 
makes sense to backport it to a quite old release. Otherwise, you can 
just use a new JDK to launch the test itself.

> 
> Best regards,
> John Jiang
>> - did you consider using the jarsigner API (jdk.security.jarsigner) 
>> instead of the command-line? I think this would be better (if 
>> possible) and it would give us some more tests of that API.

jarsigner can show warnings but JarSigner cannot, and maybe a user wants 
to compare "Status of Signing" and "Status of Verifying".

Also,

1. Would you like to make JAVA_SECURITY configurable on the jtreg 
command line? Maybe someone wants to try out different java.security files.

2. Sometimes a system might lack enough entropy to generate random 
numbers. It will be safe to add -Djava.security.egd=file:/dev/./urandom 
to both the keytool and jarsigner commands.

3. I rethink about unsupportedSigAlgs. Is it possible to detect it with 
a separate program that just calls Signature.getInstance()? Otherwise if 
jarsigner fails for another reason (say, TSA cannot be reached) we won't 
be able to notice it.

4. About javaVersion(), if you test with an OpenJDK build, there will be 
no "Java SE" there. Maybe you can read a system property instead?

Thanks
Max


>>
>> --Sean
>>
>> On 6/5/17 6:31 AM, sha.jiang at oracle.com wrote:
>>> Hi,
>>> Please review this manual test for checking if a jar, which is signed 
>>> and timestamped by a JDK build, could be verified by other JDK builds.
>>> It also can be used to check if the default timestamp digest 
>>> algorithm on signing is SHA-256.
>>> For more details, please look through the test summary.
>>>
>>> Issue: https://bugs.openjdk.java.net/browse/JDK-8179614
>>> Webrev: http://cr.openjdk.java.net/~jjiang/8179614/webrev.00/
>>>
>>> Best regards,
>>> John Jiang
>>>
>>
>

More information about the security-dev mailing list