RFR: 8301167: Update VerifySignedJar to actually exercise and test verification [v2]

Eirik Bjorsnos duke at openjdk.org
Fri Feb 3 08:01:21 UTC 2023


> This PR resurrects VerifySignedJar which currently tests nothing.
> 
> VerifySignedJar currently verifies a binary JAR which was signed with SHA-1 back in April 2000. Because SHA-1 signed JARs has been disabled for a while, the JAR is treated as unsigned so the test doesn't really test anything as of now. 
> 
> The test is updated in the following ways:
> 
> - The JAR used for verification is now created and signed with SHA-256 by the test itself
> - The test is updated to check that the JAR is actually signed and with the expected certificate 
> - JarEntry InputStreams are now read fully to ensure verification of all entries
> - Objects.requireNonNull is used to check that entries returned by  getEntry, getJarEntry are non-null 
> - The existing binary JAR is retired

Eirik Bjorsnos has updated the pull request incrementally with one additional commit since the last revision:

  Add whitespace after "if"
  
  Co-authored-by: Andrey Turbanov <turbanoff at gmail.com>

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/12206/files
  - new: https://git.openjdk.org/jdk/pull/12206/files/66ad0c7d..8ff06744

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=12206&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=12206&range=00-01

  Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
  Patch: https://git.openjdk.org/jdk/pull/12206.diff
  Fetch: git fetch https://git.openjdk.org/jdk pull/12206/head:pull/12206

PR: https://git.openjdk.org/jdk/pull/12206



More information about the security-dev mailing list