RFR: 8301167: Update VerifySignedJar to actually exercise and test verification [v2]

Weijun Wang weijun at openjdk.org
Mon Feb 6 04:13:51 UTC 2023


On Fri, 3 Feb 2023 08:01:21 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:

>> This PR resurrects VerifySignedJar which currently tests nothing.
>> 
>> VerifySignedJar currently verifies a binary JAR which was signed with SHA-1 back in April 2000. Because SHA-1 signed JARs has been disabled for a while, the JAR is treated as unsigned so the test doesn't really test anything as of now. 
>> 
>> The test is updated in the following ways:
>> 
>> - The JAR used for verification is now created and signed with SHA-256 by the test itself
>> - The test is updated to check that the JAR is actually signed and with the expected certificate 
>> - JarEntry InputStreams are now read fully to ensure verification of all entries
>> - Objects.requireNonNull is used to check that entries returned by  getEntry, getJarEntry are non-null 
>> - The existing binary JAR is retired
>
> Eirik Bjorsnos has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Add whitespace after "if"
>   
>   Co-authored-by: Andrey Turbanov <turbanoff at gmail.com>

test/jdk/java/util/jar/JarFile/VerifySignedJar.java line 76:

> 74:             // Read entry by name
> 75:             ZipEntry ze = Objects.requireNonNull(jf.getEntry("getprop.class"));
> 76:             JarEntry je = Objects.requireNonNull(jf.getJarEntry("getprop.class"));

There is no need to store the outputs to variables.

Also, for the `Unreached` lines below, we have `jdk.test.lib.Utils::runAndCheckException` which is good at catching exceptions.

            Utils.runAndCheckException(() -> jf.getEntry(null), NullPointerException.class);
            Utils.runAndCheckException(() -> jf.getJarEntry(null), NullPointerException.class);
            Utils.runAndCheckException(() -> jf.getInputStream(null), NullPointerException.class);

-------------

PR: https://git.openjdk.org/jdk/pull/12206



More information about the security-dev mailing list