RFR: 8301167: Update VerifySignedJar to actually exercise and test verification [v2]
Weijun Wang
weijun at openjdk.org
Mon Feb 6 04:13:51 UTC 2023
On Fri, 3 Feb 2023 08:01:21 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:
>> This PR resurrects VerifySignedJar which currently tests nothing.
>>
>> VerifySignedJar currently verifies a binary JAR which was signed with SHA-1 back in April 2000. Because SHA-1 signed JARs has been disabled for a while, the JAR is treated as unsigned so the test doesn't really test anything as of now.
>>
>> The test is updated in the following ways:
>>
>> - The JAR used for verification is now created and signed with SHA-256 by the test itself
>> - The test is updated to check that the JAR is actually signed and with the expected certificate
>> - JarEntry InputStreams are now read fully to ensure verification of all entries
>> - Objects.requireNonNull is used to check that entries returned by getEntry, getJarEntry are non-null
>> - The existing binary JAR is retired
>
> Eirik Bjorsnos has updated the pull request incrementally with one additional commit since the last revision:
>
> Add whitespace after "if"
>
> Co-authored-by: Andrey Turbanov <turbanoff at gmail.com>
test/jdk/java/util/jar/JarFile/VerifySignedJar.java line 76:
> 74: // Read entry by name
> 75: ZipEntry ze = Objects.requireNonNull(jf.getEntry("getprop.class"));
> 76: JarEntry je = Objects.requireNonNull(jf.getJarEntry("getprop.class"));
There is no need to store the outputs to variables.
Also, for the `Unreached` lines below, we have `jdk.test.lib.Utils::runAndCheckException` which is good at catching exceptions.
Utils.runAndCheckException(() -> jf.getEntry(null), NullPointerException.class);
Utils.runAndCheckException(() -> jf.getJarEntry(null), NullPointerException.class);
Utils.runAndCheckException(() -> jf.getInputStream(null), NullPointerException.class);
-------------
PR: https://git.openjdk.org/jdk/pull/12206
More information about the security-dev
mailing list