Re: Jtreg test suite certificates

[Peter Firmstone]

You're welcome, thanks for cudos.

Cheers,

Peter.

Tom Hobbs wrote:

Well done, Peter.  You're a serious work horse on River and we're
grateful for what you're getting done.

Cheers.

On Mon, Feb 6, 2012 at 7:23 AM, Peter Firmstone <j...@zeus.net.au> wrote:

Peter Firmstone wrote:

Good news,

It's fixed!  Turns out cloning the existing valid certs was a bad idea,
the keystore got confused and returned the wrong cert, that's all the
problem was.  Generating keys and certs is now an automated script too, it
works (at least on Solaris).

Perhaps in February 2022, when the certs need to be regenerated again, I
can be as helpful for the next guy as you were for me ;)

N.B. Running the jtreg tests helped me fix a couple of concurrency bugs
and some corner cases in my new policy provider,

Just to clarify the concurrency bugs weren't in the policy provider, only
the corner cases, which dealt with policy delegation and something else I
can't remember right now.

so these tests are still of high value.  Oh and the jtreg scripts are now
Java 6 compatible.

Now all I have to do is go run all the jtreg and qa tests again and see if
I've broken anything!

Cheers & thanks,

Peter.

bash-3.00$ ant jtreg
Buildfile: build.xml

jtreg:
  [mkdir] Created dir:
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
   [move] Moving 6 files to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
   [move] Moving 1 file to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
  [jtreg] Test results: passed: 1
  [jtreg] Report written to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html
  [jtreg] Results written to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork
   [move] Moving 6 files to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib
   [move] Moving 1 file to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext
 [delete] Deleting directory
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
 [delete] Deleting:
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props

BUILD SUCCESSFUL
Total time: 1 minute 25 seconds

bash-3.00$ keystore.sh
+ rm ./keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US -keyalg
RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US -keyalg
DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA
+ rm ./truststore
+ cp ./keystore ./truststore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2 -keyalg
DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -certreq -alias clientDSA2expired -file
clientDSA2expired.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2 -keyalg
RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -certreq -alias serverRSA2expired -file
serverRSA2expired.request
+ set +x
Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and
serverRSA2expired.req, then import them:
expired certificates need one day to expire before testing.
+ ../../../../../certs/run-ca.sh -CA ./ca.properties
+ ../../../../../certs/run-ca.sh -CA ./ca1.properties
+ ../../../../../certs/run-ca.sh -CR ./ca.properties
+ ../../../../../certs/run-ca.sh -CR ./ca1.properties
+ ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties
+ ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties
+ keytool -keystore ./truststore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias ca -file ca.cert
Certificate was added to keystore
+ keytool -keystore ./truststore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias ca1 -file ca1.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias ca -file ca.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias ca1 -file ca1.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -import -noprompt -alias clientDSA2expired -file
clientDSA2expired.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -import -noprompt -alias serverRSA2expired -file
serverRSA2expired.chain
Certificate reply was installed in keystore
bash-3.00$

Tim Blackman wrote:

On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote:

Well, here's the bad news; the certificate has expired, but the tests
still fail.  This is the first time these tests have been run under jdk 1.6,
to my knowledge at least.

The test expects jeri to throw a ConnectIOException, but it doesn't.

The good news is, when the server certificate has expired, an
IOException is thrown as expected.  I have to comment out:  "throw new
FailedException(" in TestRMI for the expired client test, or FailedException
will be thrown before the expired server certificate is is tested.

This could indicate the ServerAuthManager could have a problem, since
the ClientAuthManager is behaving correctly?