Well done, Peter. You're a serious work horse on River and we're grateful for what you're getting done.
Cheers. On Mon, Feb 6, 2012 at 7:23 AM, Peter Firmstone <[email protected]> wrote: > Peter Firmstone wrote: >> >> Good news, >> >> It's fixed! Turns out cloning the existing valid certs was a bad idea, >> the keystore got confused and returned the wrong cert, that's all the >> problem was. Generating keys and certs is now an automated script too, it >> works (at least on Solaris). >> >> Perhaps in February 2022, when the certs need to be regenerated again, I >> can be as helpful for the next guy as you were for me ;) >> >> N.B. Running the jtreg tests helped me fix a couple of concurrency bugs >> and some corner cases in my new policy provider, > > > Just to clarify the concurrency bugs weren't in the policy provider, only > the corner cases, which dealt with policy delegation and something else I > can't remember right now. > > >> so these tests are still of high value. Oh and the jtreg scripts are now >> Java 6 compatible. >> >> Now all I have to do is go run all the jtreg and qa tests again and see if >> I've broken anything! >> >> Cheers & thanks, >> >> Peter. >> >> bash-3.00$ ant jtreg >> Buildfile: build.xml >> >> jtreg: >> [mkdir] Created dir: >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp >> [move] Moving 6 files to >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp >> [move] Moving 1 file to >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp >> [jtreg] Test results: passed: 1 >> [jtreg] Report written to >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html >> [jtreg] Results written to >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork >> [move] Moving 6 files to >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib >> [move] Moving 1 file to >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext >> [delete] Deleting directory >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp >> [delete] Deleting: >> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props >> >> BUILD SUCCESSFUL >> Total time: 1 minute 25 seconds >> >> bash-3.00$ keystore.sh >> + rm ./keystore >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US -keyalg >> RSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US -keyalg >> DSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA >> + rm ./truststore >> + cp ./keystore ./truststore >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2 -keyalg >> DSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 1 -certreq -alias clientDSA2expired -file >> clientDSA2expired.request >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2 -keyalg >> RSA >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 1 -certreq -alias serverRSA2expired -file >> serverRSA2expired.request >> + set +x >> Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and >> serverRSA2expired.req, then import them: >> expired certificates need one day to expire before testing. >> + ../../../../../certs/run-ca.sh -CA ./ca.properties >> + ../../../../../certs/run-ca.sh -CA ./ca1.properties >> + ../../../../../certs/run-ca.sh -CR ./ca.properties >> + ../../../../../certs/run-ca.sh -CR ./ca1.properties >> + ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties >> + ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties >> + keytool -keystore ./truststore -storepass keypass -keypass keypass >> -validity 3650 -import -noprompt -alias ca -file ca.cert >> Certificate was added to keystore >> + keytool -keystore ./truststore -storepass keypass -keypass keypass >> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert >> Certificate was added to keystore >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -import -noprompt -alias ca -file ca.cert >> Certificate was added to keystore >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert >> Certificate was added to keystore >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain >> Certificate reply was installed in keystore >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 1 -import -noprompt -alias clientDSA2expired -file >> clientDSA2expired.chain >> Certificate reply was installed in keystore >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain >> Certificate reply was installed in keystore >> + keytool -keystore ./keystore -storepass keypass -keypass keypass >> -validity 1 -import -noprompt -alias serverRSA2expired -file >> serverRSA2expired.chain >> Certificate reply was installed in keystore >> bash-3.00$ >> >> Tim Blackman wrote: >>> >>> On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote: >>> >>> >>>> >>>> Well, here's the bad news; the certificate has expired, but the tests >>>> still fail. This is the first time these tests have been run under jdk >>>> 1.6, >>>> to my knowledge at least. >>>> >>>> The test expects jeri to throw a ConnectIOException, but it doesn't. >>>> >>>> The good news is, when the server certificate has expired, an >>>> IOException is thrown as expected. I have to comment out: "throw new >>>> FailedException(" in TestRMI for the expired client test, or >>>> FailedException >>>> will be thrown before the expired server certificate is is tested. >>>> >>>> This could indicate the ServerAuthManager could have a problem, since >>>> the ClientAuthManager is behaving correctly? >>>> >> >> >
