Integrated: 8301167: Update VerifySignedJar to actually exercise and test verification

Eirik Bjorsnos duke at openjdk.org
Mon Feb 6 15:47:00 UTC 2023


On Wed, 25 Jan 2023 17:38:13 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:

> This PR resurrects VerifySignedJar which currently tests nothing.
> 
> VerifySignedJar currently verifies a binary JAR which was signed with SHA-1 back in April 2000. Because SHA-1 signed JARs has been disabled for a while, the JAR is treated as unsigned so the test doesn't really test anything as of now. 
> 
> The test is updated in the following ways:
> 
> - The JAR used for verification is now created and signed with SHA-256 by the test itself
> - The test is updated to check that the JAR is actually signed and with the expected certificate 
> - JarEntry InputStreams are now read fully to ensure verification of all entries
> - Objects.requireNonNull is used to check that entries returned by  getEntry, getJarEntry are non-null 
> - The existing binary JAR is retired

This pull request has now been integrated.

Changeset: 05ea083b
Author:    Eirik Bjorsnos <eirbjo at gmail.com>
Committer: Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/05ea083b0563ddacf3e38dc329ba00dc4bac9b29
Stats:     110 lines in 2 files changed: 84 ins; 12 del; 14 mod

8301167: Update VerifySignedJar to actually exercise and test verification

Reviewed-by: weijun

-------------

PR: https://git.openjdk.org/jdk/pull/12206



More information about the security-dev mailing list