3789983e89
Reviewed-by: darcy, ihse
# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License version 2 only, as # published by the Free Software Foundation. # # This code is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # version 2 for more details (a copy is included in the LICENSE file that # accompanied this code). # # You should have received a copy of the GNU General Public License version # 2 along with this work; if not, write to the Free Software Foundation, # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA # or visit www.oracle.com if you need additional information or have any # questions. ##### Summary ##### This test is used to verify the compatibility on jarsigner cross different JDK releases. It also can be used to check jar signing (w/ and w/o TSA) and verifying on some specific key algorithms and digest algorithms. ##### Output ##### The test will generate a report, at JTwork/scratch/report.html, to display the key parameters for signing and the status of signing and verifying. And it will generate another report, at JTwork/scratch/failedReport.html, to collect all of failed cases. Please note that, the test may output a great deal of logs if the jdk list and TSA list are big, and that would lead to jtreg output overflow. So, it redirects stdout and stderr to file JTwork/scratch/details.out. ##### Report Columns ##### Certificate Certificate identifier. The identifier consists of specific attributes of the certificate. Generally, the naming convention is: KeyAlgorithm_DigestAlgorithm_[KeySize][_Expired] Signer JDK The JDK version that signs jar. Signature Algorithm The signature algorithm used by signing. TSA Digest The timestamp digest algorithm used by signing. TSA TSA URL index. All of TSA URLs and their indices can be found at the top of this report. Signing Status Signing process result status. The status are the followings: [1]NONE, no action. [2]NORMAL, no any error and warning. [3]WARNING, no any error but some warnings raise. [4]ERROR, some errors raise. Verifier JDK The JDK version that verifies signed jars. Verifying Status Verifying process result status. The status are the same as those for "Status of Signing". Delay Verifying Status Delay verifying process result status. The status are the same as those for "Status of Signing". Failed It highlights which case fails. The failed cases (rows) are marked with letter X. ##### Usages ##### jtreg [-options] \ -jdk:<path/to/testing/JDK> [-DproxyHost=<host> \ -DproxyPort=<port> \ -DtsaListFile=</url/to/tsaListFile> \ -DtsaList=</path/to/tsa1#/path/to/tsa2#/path/to/tsa3#...> \ -DjdkListFile=</path/to/jdkListFile> \ -DjdkList=</path/to/jdk1#/path/to/jdk2#/path/to/jdk3#...> \ -DjavaSecurityFile=</path/to/java/security/properties/file> \ -DdelayVerify=<true|false> \ -DcertValidity=<[1, 1440]>] \ <JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java Besides the common jtreg options, like -jdk, this test introduces a set of properties for receiving users' inputs and making the test more flexible. These properties are: proxyHost=<host> This property indicates proxy host. proxyPort=<port> This property indicates proxy port. The default value is 80. tsaListFile=</path/to/tsaListFile> This property indicates a local file, which contains a set of TSA URLs and the supported digest algorithms (by optional parameter digests). The format of the file content looks like the below, http://path/to/tsa1 http://path/to/tsa2;digests=SHA-1,SHA-256 https://path/to/tsa3 ... If a TSA line does not list the supported digest algorithms, that means the TSA supports SHA-1, SHA-256 and SHA-512. Because the test only focus on SHA-1, SHA-256 and SHA-512. So, if other digest algorithms, like SHA-224 and SHA-384, are listed, they just be ignored. tsaList=</path/to/tsa1#/path/to/tsa2;digests=SHA-1,SHA-256#...> This property directly lists a set of TSAs in command. "#" is the delimiter. Note that, if both of tsaListFile and tsaList are specified, only property jdkListFile is selected. If neither of tsaListFile and tsaList is specified, the test will fails immediately. jdkListFile=</path/to/jdkListFile> This property indicates a local file, which contains a set of local JDK paths. The style of the file content looks like the below, /path/to/jdk1 /path/to/jdk2 /path/to/jdk3 ... jdkList=</path/to/jdk1#/path/to/jdk2#/path/to/jdk3#...> This property directly lists a set of local JDK paths in command. "#" is the delimiter. Note that, if both of jdkListFile and jdkList are specified, only property jdkListFile is selected. If neither of jdkListFile nor jdkList is specified, the testing JDK, which is specified by jtreg option -jdk will be used as the only one JDK in the JDK list. javaSecurityFile=</path/to/java/security/properties/file> This property indicates an alternative java security properties file. The default file is the path of file java.scurity that is distributed with this test. delayVerify=<true|false> This property indicates if doing an additional verifying after all of valid certificates expire. The default value is false. certValidity=<[1, 1440]> This property indicates the remaining validity period in minutes for valid certificates. The value range is [1, 1440]. The default value is 1440. Note that, if delayVerify is false, this property doesn't take effect. The testing JDK, which is specified by jtreg option "-jdk", should include the fix for JDK-8163304. Otherwise, the signature algorithm and timestamp digest algorithm cannot be extracted from verification output. And this JDK should support as many as possible signature algorithms. Anyway the latest JDK build is always recommended. ##### Examples ##### $ cat /path/to/jdkList /path/to/jdk6u171-b05 /path/to/jdk7u161-b05 /path/to/jdk8u144-b01 /path/to/jdk9-179 $ cat /path/to/tsaList http://timestamp.comodoca.com/rfc3161 http://sha256timestamp.ws.symantec.com/sha256/timestamp http://tsa.starfieldtech.com http://timestamp.entrust.net/TSS/RFC3161sha1TS;digests=SHA-1,SHA-256 http://timestamp.entrust.net/TSS/RFC3161sha2TS;digests=SHA-1,SHA-256 http://rfc3161timestamp.globalsign.com/advanced;digests=SHA-256,SHA-512 http://rfc3161timestamp.globalsign.com/standard http://timestamp.globalsign.com/scripts/timstamp.dll http://timestamp.globalsign.com/?signature=sha2;digests=SHA-256,SHA-512 http://timestamp.digicert.com http://time.certum.pl http://tsa.swisssign.net http://zeitstempel.dfn.de https://tsp.iaik.tugraz.at/tsp/TspRequest $ jtreg -va -nr -timeout:100 \ -jdk:/path/to/latest/jdk \ -DproxyHost=<proxy> -DproxyPort=<port> \ -DjdkListFile=/path/to/jdkList \ -DtsaListFile=/path/to/tsaList \ -DdelayVerify=true -DcertValidity=60 \ <JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java The above is a comprehensive usage example. File "jdkList" lists the paths of testing JDK builds, and file "tsaList" lists the URLs of TSA services. Some TSAs, like http://timestamp.entrust.net/TSS/RFC3161sha1TS, specify the supported digest algorithms. Other TSAs, which don't specify parameter digests, are regarded to support SHA-1, SHA-256 and SHA-512. The test uses a proxy to access TSA services. And it enables delay verifying and set the certificate validity period to 60 minutes. So, after the first verification is done, the test will wait for all of valid certificates expire and then does verification again. If don't want to provide such JDK list and TSA list files, the test allows to specify JDKs and TSAs (via properties jdkList and tsaList respectively) in the command directly, like the below style, $ jtreg -va -nr -timeout:100 \ -jdk:/path/to/latest/jdk \ -DproxyHost=<proxy> -DproxyPort=<port> \ -DjdkList=/path/to/jdk6u171-b05#/path/to/jdk7u161-b05#/path/to/jdk8u144-b01#/path/to/jdk9-179 \ -DtsaList=http://timestamp.comodoca.com/rfc3161#http://timestamp.entrust.net/TSS/RFC3161sha1TS;digests=SHA-1,SHA-256 \ -DdelayVerify=true -DcertValidity=60 \ <JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java Furthermore, here introduces one of the simplest usages. It doesn't specify any JDK list, so the testing JDK, which is specified by jtreg option "-jdk", will be tested. And it doesn't apply delay verifying, and no proxy is used, and use only one TSA. Now, the command is pretty simple and looks like the followings, $ jtreg -va -nr -timeout:100 \ -jdk:/path/to/latest/jdk \ -DtsaList=http://timestamp.comodoca.com/rfc3161 \ <JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java