date:20211027

[jira] [Commented] (DERBY-7126) Make it possible to build and test Derby cleanly with OpenJDK 18

2021-10-27 Thread Bryan Pendleton (Jira)



[ 
https://issues.apache.org/jira/browse/DERBY-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17435005#comment-17435005
 ] 

Bryan Pendleton commented on DERBY-7126:


This is interesting, thanks for posting the details! 

I assume that JDK 18 is dropping support for SHA1 because they are trying to 
force everyone to move to something newer and stronger (is there a SHA2?). 
Assuming there is a newer replacement, probably we need to figure out how to 
test with that newer replacement I guess?

But it also seems like if JDK doesn't support a certain signing level (that is, 
SHA1), then it should raise an error, not just quietly disregard the signature.

> Make it possible to build and test Derby cleanly with OpenJDK 18
> 
>
> Key: DERBY-7126
> URL: https://issues.apache.org/jira/browse/DERBY-7126
> Project: Derby
>  Issue Type: Task
>  Components: Build tools
>Affects Versions: 10.16.0.0
>Reporter: Richard N. Hillegas
>Assignee: Richard N. Hillegas
>Priority: Major
> Attachments: DERBY_7126_A.java
>
>
> Releases of Open JDK 18 can be found at https://jdk.java.net/178. We should 
> adjust Derby as necessary so that it builds cleanly (including javadoc) and 
> tests cleanly with this version of the platform.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DERBY-7126) Make it possible to build and test Derby cleanly with OpenJDK 18

2021-10-27 Thread Richard N. Hillegas (Jira)



[ 
https://issues.apache.org/jira/browse/DERBY-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17434989#comment-17434989
 ] 

Richard N. Hillegas commented on DERBY-7126:


I may have figured out how to simulate the old behavior. I took the regenerated 
jar file and replaced the emc class with the corrupted version from the old 
corrupted jar. Then I replaced the old corrupted jar with the result. The 
result is a hacked jar which does not match its modern certificate. The test 
now runs cleanly on JDK 18 and JDK 11.

But I am still confused about the value of the JDK 18 behavior and the value of 
Derby's support for signed jars.

> Make it possible to build and test Derby cleanly with OpenJDK 18
> 
>
> Key: DERBY-7126
> URL: https://issues.apache.org/jira/browse/DERBY-7126
> Project: Derby
>  Issue Type: Task
>  Components: Build tools
>Affects Versions: 10.16.0.0
>Reporter: Richard N. Hillegas
>Assignee: Richard N. Hillegas
>Priority: Major
> Attachments: DERBY_7126_A.java
>
>
> Releases of Open JDK 18 can be found at https://jdk.java.net/178. We should 
> adjust Derby as necessary so that it builds cleanly (including javadoc) and 
> tests cleanly with this version of the platform.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DERBY-7126) Make it possible to build and test Derby cleanly with OpenJDK 18

2021-10-27 Thread Richard N. Hillegas (Jira)



[ 
https://issues.apache.org/jira/browse/DERBY-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17434984#comment-17434984
 ] 

Richard N. Hillegas commented on DERBY-7126:


DatabaseClassLoader has instructions for signing a jar file used by the test 
(see the method header for testSignedJar()). The instructions don't work any 
more but can be fixed thusly:

{noformat}
keytool -delete -alias emccto -keystore emcks -storepass ab987c
keytool -genkey -keyalg "DSA"  -validity 2555000 -dname "cn=EMC CTO, 
ou=EMC APP, o=Easy Mail Company, c=US" -alias emccto -keystore emcks -storepass 
ab987c
keytool -selfcert -alias emccto -validity 36500 -keystore emcks 
-storepass ab987c
jarsigner -keystore emcks -storepass ab987c -signedjar dcl_emc2s.jar 
dcl_emc2.jar emccto
{noformat}

With the regenerated jar file, 3 of the 4 failures go away. But one remains:

{noformat}
There was 1 failure:
1) 
testHackedJarReplacedClass(org.apache.derbyTesting.functionTests.tests.lang.DatabaseClassLoadingTest)junit.framework.AssertionFailedError:
 procedure call worked on hacked jar
at 
org.apache.derbyTesting.functionTests.tests.lang.DatabaseClassLoadingTest.testHackedJarReplacedClass(DatabaseClassLoadingTest.java:585)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:76)
at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:51)
at 
org.apache.derbyTesting.junit.BaseTestCase.runBare(BaseTestCase.java:124)
at 
org.apache.derbyTesting.junit.BaseJDBCTestCase.runBareOverridable(BaseJDBCTestCase.java:443)
at 
org.apache.derbyTesting.junit.BaseJDBCTestCase.runBare(BaseJDBCTestCase.java:460)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
at junit.extensions.TestSetup.run(TestSetup.java:25)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
at junit.extensions.TestSetup.run(TestSetup.java:25)
at 
org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:60)

FAILURES!!!
Tests run: 31,  Failures: 1,  Errors: 0
{noformat}

This is troubling because it means that Derby no longer detects 
corrupted/hacked jar files. The problem is that Derby is expecting a class 
loading error on the hacked jar file. But JDK 18 doesn't raise that error. 
Maybe that is because the jar file was signed with SHA1 and JDK 18 doesn't 
consider the jar to be signed at all.

The following program shows that the corrupted jar file raises class loading 
errors under Java 11 but not under JDK 18 (see the attached DERBY_7126_A 
program):

{noformat}
import java.io.File;
import java.net.URL;
import java.net.URLClassLoader;

public class DERBY_7126_A
{
private static final String CLASS_NAME = 
"org.apache.derbyTesting.databaseclassloader.emc";

public static void main(String... args) throws Exception
{
String fileName = args[0];
URL fileURL = (new File(fileName)).toURI().toURL();

println(fileURL.toString());

println("Try to load a class from a corrupted jar file...");
try
{
URLClassLoader urlClassLoader = new URLClassLoader( new URL[] { 
fileURL } );
Class sampleClass = urlClassLoader.loadClass(CLASS_NAME);
println("Oops, unexpectedly loaded class " + sampleClass.getName());
} catch (SecurityException se)
{
println("Class correctly failed to load: " + se.toString());
}
}

private static void println(String text) { System.out.println(text); }
}
{noformat}

When I run this program thusly...

{noformat}
java DERBY_7126_A 
/Users/rhillegas/derby/mainline/trunk/java/org.apache.derby.tests/org/apache/derbyTesting/functionTests/tests/lang/dcl_emc2sm.jar
{noformat}

...I get the following output under Java 11...

{noformat}
Try to load a class from a corrupted jar file...
Class correctly failed to load: java.lang.SecurityException: SHA1 digest error 
for org/apache/derbyTesting/databaseclassloader/emc.class
{noformat}

...and the following output under Java 18:

{noformat}
Try to load a class from a corrupted jar file...
Oops, unexpectedly loaded class org.apache.derbyTesting.databaseclassloader.emc
{noformat}

I am confused about how to proceed:

1) I don't see any instructions for regenerating the hacked jar file so that 
the test will do what it used to do.

2) I have misgivings about the JDK 18 behavior. I think that it would be better 
for the JDK to raise an error when it encounters a jar file which was signed 
with an SHA1 crytographic hash. Silently accepting a badly signed file

[jira] [Updated] (DERBY-7126) Make it possible to build and test Derby cleanly with OpenJDK 18

2021-10-27 Thread Richard N. Hillegas (Jira)



 [ 
https://issues.apache.org/jira/browse/DERBY-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard N. Hillegas updated DERBY-7126:
---
Attachment: DERBY_7126_A.java

> Make it possible to build and test Derby cleanly with OpenJDK 18
> 
>
> Key: DERBY-7126
> URL: https://issues.apache.org/jira/browse/DERBY-7126
> Project: Derby
>  Issue Type: Task
>  Components: Build tools
>Affects Versions: 10.16.0.0
>Reporter: Richard N. Hillegas
>Assignee: Richard N. Hillegas
>Priority: Major
> Attachments: DERBY_7126_A.java
>
>
> Releases of Open JDK 18 can be found at https://jdk.java.net/178. We should 
> adjust Derby as necessary so that it builds cleanly (including javadoc) and 
> tests cleanly with this version of the platform.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DERBY-7126) Make it possible to build and test Derby cleanly with OpenJDK 18

[jira] [Commented] (DERBY-7126) Make it possible to build and test Derby cleanly with OpenJDK 18

[jira] [Commented] (DERBY-7126) Make it possible to build and test Derby cleanly with OpenJDK 18

[jira] [Updated] (DERBY-7126) Make it possible to build and test Derby cleanly with OpenJDK 18

4 matches

Site Navigation

Mail list logo

Footer information