Hi Max,
Thanks for your comments, the webrev below addressed all the issues you
mentioned, please check and let me know if there are any problem.
http://cr.openjdk.java.net/~amjiang/8169911/webrev.02/
Thanks,
Amanda
On 11/18/16 11:37 PM, Wang Weijun wrote:
Hi Amanda
- There are many duplicates in signWithAlias() and sign(). I think it's better
to make one based on the other. Maybe signWithAliasAndTsa() and sign().
- checkWeak2() is about combinations of weak/strong algs in a single signer.
I'd rather it be an individual test case, and not as a step in multiple
signers. The name is not meaningful enough. Maybe checkHalfWeak()?
- About multiple signers:
On lines 356 and 364, I suggest using different names for signed jar and
original jar. This makes debugging easier when there is a failure.
IMO it's not worth writing different checkComb() and checkComb2(). As long as the
output contains "weak" we know the weak algorithm is also printed out. What we
need to cover are:
1) it's treated as verified if at least one is strong (you already covered
it)
2) it has only 1 verified signer, this should be shown with both -verbose
and -certs. You can see there is only one certificate shown. Or you can use
JarFile API to open the jar file and check the length of
JarEntry::getCodeSigner().
3) the history shows 2 signers, this can be provide by 2 "Signed by" lines.
I'd suggest checkComb() be renamed to checkMultiple().
Thanks
Max
On Nov 19, 2016, at 8:38 AM, Amanda Jiang <[email protected]> wrote:
HI All,
Please help to review following code change:
webrev: http://cr.openjdk.java.net/~amjiang/8169911/webrev.01/
bug: https://bugs.openjdk.java.net/browse/JDK-8169911
This change enhances test case for JDK-8163304 by covering following cases:
- Multiple signers (signed by jarsigner twice using different aliases)
- Combinations of weak/strong -digestalg, -tsadigestalg and -sigalg
- Signing with DSA keys
Thanks,
Amanda
