RFR: 8301167: Update VerifySignedJar to actually exercise and test verification

Eirik Bjorsnos duke at openjdk.org
Thu Jan 26 17:06:15 UTC 2023


This PR resurrects VerifySignedJar which currently tests nothing.

VerifySignedJar currently verifies a binary JAR which was signed with SHA-1 back in April 2000. Because SHA-1 signed JARs has been disabled for a while, the JAR is treated as unsigned so the test doesn't really test anything as of now. 

The test is updated in the following ways:

- The JAR used for verification is now created and signed with SHA-256 by the test itself
- The test is updated to check that the JAR is actually signed and with the expected certificate 
- JarEntry InputStreams are now read fully to ensure verification of all entries
- Objects.requireNonNull is used to check that entries returned by  getEntry, getJarEntry are non-null 
- The existing binary JAR is retired

-------------

Commit messages:
 - Simplify checkSignedBy by using JarEntry.getCertificates() instead of JarEntry.getCodeSigners()
 - o Update VerifySignedJar test to create and sign a JAR file instead of reading a binary JAR from version control.

Changes: https://git.openjdk.org/jdk/pull/12206/files
 Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=12206&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8301167
  Stats: 91 lines in 2 files changed: 79 ins; 0 del; 12 mod
  Patch: https://git.openjdk.org/jdk/pull/12206.diff
  Fetch: git fetch https://git.openjdk.org/jdk pull/12206/head:pull/12206

PR: https://git.openjdk.org/jdk/pull/12206



More information about the security-dev mailing list