33 Please note that, the test may output a great deal of logs if the jdk list and |
33 Please note that, the test may output a great deal of logs if the jdk list and |
34 TSA list are big, and that would lead to jtreg output overflow. So, it redirects |
34 TSA list are big, and that would lead to jtreg output overflow. So, it redirects |
35 stdout and stderr to file JTwork/scratch/details.out. |
35 stdout and stderr to file JTwork/scratch/details.out. |
36 |
36 |
37 ##### Report Columns ##### |
37 ##### Report Columns ##### |
|
38 |
|
39 Jarfile |
|
40 The filenames used in the tests |
|
41 |
38 Certificate |
42 Certificate |
39 Certificate identifier. The identifier consists of specific attributes of |
43 Certificate identifier. The identifier consists of specific attributes of |
40 the certificate. Generally, the naming convention is: |
44 the certificate. Generally, the naming convention is: |
41 KeyAlgorithm_DigestAlgorithm_[KeySize][_Expired] |
45 KeyAlgorithm_DigestAlgorithm_[KeySize][_Expired] |
42 |
46 |
43 Signer JDK |
47 Signer JDK |
44 The JDK version that signs jar. |
48 The JDK version that signs jar. |
45 |
49 |
46 Signature Algorithm |
50 Signature Algorithm |
47 The signature algorithm used by signing. |
51 The signature algorithm used to sign the key as in 'keytool -sigalg'. |
48 |
52 |
49 TSA Digest |
53 Note: The values displayed in this column are specified to jarsigner only |
50 The timestamp digest algorithm used by signing. |
54 in case a test does not work with a default value. |
|
55 In any case the specified value or expected default value is compared in |
|
56 verifying phase against jarsigner's output and the test fails if it does |
|
57 not match. |
|
58 |
|
59 Jar Digest Algorithm |
|
60 The digest algorithm used to digest the files contained in the JAR file and |
|
61 the manifest and signature files as in 'jarsigner -digestalg'. |
|
62 See also note above about default values for Signature Algorithm. |
|
63 |
|
64 TSA Digest Algorithm |
|
65 The timestamp digest algorithm used by TSA as in 'jarsigner -tsadigestalg'. |
|
66 Shows no value if no TSA used. |
|
67 See also note above about default values for Signature Algorithm. |
51 |
68 |
52 TSA |
69 TSA |
53 TSA URL index. All of TSA URLs and their indices can be found at the top |
70 TSA URL index. All of TSA URLs and their indices can be found at the top |
54 of this report. |
71 of this report. |
55 |
72 |
78 ##### Usages ##### |
95 ##### Usages ##### |
79 jtreg [-options] \ |
96 jtreg [-options] \ |
80 -jdk:<path/to/testing/JDK> |
97 -jdk:<path/to/testing/JDK> |
81 [-DproxyHost=<host> \ |
98 [-DproxyHost=<host> \ |
82 -DproxyPort=<port> \ |
99 -DproxyPort=<port> \ |
|
100 -Dteeout=filename \ |
83 -DtsaListFile=</url/to/tsaListFile> \ |
101 -DtsaListFile=</url/to/tsaListFile> \ |
84 -DtsaList=</path/to/tsa1#/path/to/tsa2#/path/to/tsa3#...> \ |
102 -DtsaList=</path/to/tsa1#/path/to/tsa2#/path/to/tsa3#...|notsa> \ |
85 -DjdkListFile=</path/to/jdkListFile> \ |
103 -DjdkListFile=</path/to/jdkListFile> \ |
86 -DjdkList=</path/to/jdk1#/path/to/jdk2#/path/to/jdk3#...> \ |
104 -DjdkList=</path/to/jdk1#/path/to/jdk2#/path/to/jdk3#...> \ |
87 -DjavaSecurityFile=</path/to/java/security/properties/file> \ |
105 -DjavaSecurityFile=</path/to/java/security/properties/file> \ |
88 -DdelayVerify=<true|false> \ |
106 -DdelayVerify=<true|false> \ |
89 -DcertValidity=<[1, 1440]>] \ |
107 -DcertValidity=<[1, 1440]>] \ |
90 <JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java |
108 <JDK_REPO>/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java |
91 |
109 |
92 Besides the common jtreg options, like -jdk, this test introduces a set of |
110 Besides the common jtreg options, like -jdk, this test introduces a set of |
93 properties for receiving users' inputs and making the test more flexible. These |
111 properties for receiving users' inputs and making the test more flexible. These |
94 properties are: |
112 properties are (all to specify after -D as system properties): |
|
113 |
95 proxyHost=<host> |
114 proxyHost=<host> |
96 This property indicates proxy host. |
115 This property indicates proxy host. |
97 |
116 |
98 proxyPort=<port> |
117 proxyPort=<port> |
99 This property indicates proxy port. The default value is 80. |
118 This property indicates proxy port. The default value is 80. |
|
119 |
|
120 o=filename |
|
121 Redirects a copy of what is written to stdout into the specified file which |
|
122 allows for observing progress or problems during a longer running test. |
|
123 (Compatibility test replaces System.out to collect the output but even if |
|
124 it didn't jtreg would not print anything until the test would have ended.) |
|
125 Note that relative paths resolve relatively to some temporary working |
|
126 directory created by jtreg. Defaults to JTwork/scratch/details.out. |
|
127 The specified file is not deleted or emptied and the output is appended |
|
128 though jtreg deletes the default file with the whole directory if this |
|
129 option is not specified or the file point into JTwork/scratch. |
|
130 Example (Bash style): tail -F log & jtreg ... -Do=$(pwd)/log ... |
100 |
131 |
101 tsaListFile=</path/to/tsaListFile> |
132 tsaListFile=</path/to/tsaListFile> |
102 This property indicates a local file, which contains a set of TSA URLs and |
133 This property indicates a local file, which contains a set of TSA URLs and |
103 the supported digest algorithms (by optional parameter digests). The format |
134 the supported digest algorithms (by optional parameter digests). The format |
104 of the file content looks like the below, |
135 of the file content looks like the below, |
110 If a TSA line does not list the supported digest algorithms, that means |
141 If a TSA line does not list the supported digest algorithms, that means |
111 the TSA supports SHA-1, SHA-256 and SHA-512. Because the test only focus |
142 the TSA supports SHA-1, SHA-256 and SHA-512. Because the test only focus |
112 on SHA-1, SHA-256 and SHA-512. So, if other digest algorithms, like SHA-224 |
143 on SHA-1, SHA-256 and SHA-512. So, if other digest algorithms, like SHA-224 |
113 and SHA-384, are listed, they just be ignored. |
144 and SHA-384, are listed, they just be ignored. |
114 |
145 |
115 tsaList=</path/to/tsa1#/path/to/tsa2;digests=SHA-1,SHA-256#...> |
146 tsaList=</path/to/tsa1#/path/to/tsa2;digests=SHA-1,SHA-256#...|notsa> |
116 This property directly lists a set of TSAs in command. "#" is the delimiter. |
147 This property directly lists a set of TSAs in command. "#" is the delimiter. |
117 Note that, if both of tsaListFile and tsaList are specified, only property |
148 Note that, if both of tsaListFile and tsaList are specified, only property |
118 jdkListFile is selected. If neither of tsaListFile and tsaList is specified, |
149 tsaListFile is selected. If neither of tsaListFile and tsaList is specified, |
119 the test will fails immediately. |
150 the test fails immediately. |
|
151 If tsaList has a value of "notsa", no tsa is used. |
120 |
152 |
121 jdkListFile=</path/to/jdkListFile> |
153 jdkListFile=</path/to/jdkListFile> |
122 This property indicates a local file, which contains a set of local JDK |
154 This property indicates a local file, which contains a set of local JDK |
123 paths. The style of the file content looks like the below, |
155 paths. The style of the file content looks like the below, |
124 /path/to/jdk1 |
156 /path/to/jdk1 |
127 ... |
159 ... |
128 |
160 |
129 jdkList=</path/to/jdk1#/path/to/jdk2#/path/to/jdk3#...> |
161 jdkList=</path/to/jdk1#/path/to/jdk2#/path/to/jdk3#...> |
130 This property directly lists a set of local JDK paths in command. "#" is |
162 This property directly lists a set of local JDK paths in command. "#" is |
131 the delimiter. |
163 the delimiter. |
|
164 An element "TEST_JDK" as in |
|
165 jdkList=</path/to/jdk1#/path/to/jdk2#TEST_JDK#...> |
|
166 adds the testing JDK, which is specified by jtreg option -jdk, to the jdk |
|
167 list. All signed jars are verified with the current testing JDK, which is |
|
168 specified by jtreg option -jdk, by default in addition to the JDKs given |
|
169 in jdkList but it is not used to also sign jars by default. |
|
170 If neither jdkList nor jdkListFile are specified, the current testing JDK, |
|
171 which is specified by jtreg option -jdk, is used to sign the jars, like: |
|
172 jdkList=TEST_JDK |
132 Note that, if both of jdkListFile and jdkList are specified, only property |
173 Note that, if both of jdkListFile and jdkList are specified, only property |
133 jdkListFile is selected. If neither of jdkListFile nor jdkList is specified, |
174 jdkListFile is selected. If neither of jdkListFile nor jdkList is specified, |
134 the testing JDK, which is specified by jtreg option -jdk will be used as |
175 the testing JDK, which is specified by jtreg option -jdk, will be used as |
135 the only one JDK in the JDK list. |
176 the only one JDK in the JDK list. |
|
177 |
|
178 The testing JDK, which is specified by jtreg option "-jdk", should include |
|
179 the fix for JDK-8163304. Otherwise, the signature algorithm and timestamp |
|
180 digest algorithm cannot be extracted from verification output. And this JDK |
|
181 should support as many as possible signature algorithms. Anyway the latest |
|
182 JDK build is always recommended. |
|
183 |
|
184 testComprehensiveJarContents=<false|true> |
|
185 If false, all tests are executed with only one typical JAR file. Otherwise, |
|
186 if true, a whole bunch of JAR files with several edge case contents are |
|
187 fed through the tests such as empty manifest or manifests with non-default |
|
188 line breaks. Default is false. |
|
189 |
|
190 testJarUpdate=<false|true> |
|
191 If false, all tested JAR files are signed with one JDK and verified with |
|
192 each JDK, same or other. If true, in addition, all JAR files are modified |
|
193 after having been signed, and are then each signed again with each JDK and |
|
194 verified each JDK, same or other. Default is false. |
|
195 |
|
196 strict=<false|true> |
|
197 If true, '-strict' option is specified to jarsigner along with '-verify'. |
|
198 Default is false. |
136 |
199 |
137 javaSecurityFile=</path/to/java/security/properties/file> |
200 javaSecurityFile=</path/to/java/security/properties/file> |
138 This property indicates an alternative java security properties file. The |
201 This property indicates an alternative java security properties file. The |
139 default file is the path of file java.scurity that is distributed with |
202 default file is the path of file java.scurity that is distributed with |
140 this test. |
203 this test. |
141 |
204 |
142 delayVerify=<true|false> |
205 delayVerify=<true|false> |
143 This property indicates if doing an additional verifying after all of valid |
206 This property indicates if doing an additional verifying after all of valid |
144 certificates expire. The default value is false. |
207 certificates expire. The default value is false. |
145 |
208 |
|
209 expired=<false|true> |
|
210 This property indicates whether or not all tests should be repeated with an |
|
211 expired certificate. Refers to the certificate validity period and not to |
|
212 TSA. The default value is true. |
|
213 |
146 certValidity=<[1, 1440]> |
214 certValidity=<[1, 1440]> |
147 This property indicates the remaining validity period in minutes for valid |
215 This property indicates the remaining validity period in minutes for valid |
148 certificates. The value range is [1, 1440]. The default value is 1440. |
216 certificates. The value range is [1, 1440]. The default value is 1440. |
149 Note that, if delayVerify is false, this property doesn't take effect. |
217 Note that, if delayVerify is false, this property doesn't take effect. |
150 |
218 |
151 The testing JDK, which is specified by jtreg option "-jdk", should include the |
219 keyAlgs=RSA;1024;2048;#DSA;1024;2048;#EC;384;521; |
152 fix for JDK-8163304. Otherwise, the signature algorithm and timestamp digest |
220 Specifies key algorithms to use in the test. For each key algorithm the |
153 algorithm cannot be extracted from verification output. And this JDK should |
221 sizes it should be tested with can be specified after semicolons and |
154 support as many as possible signature algorithms. Anyway the latest JDK build |
222 otherwise default values are used. An empty keysize denotes the default |
155 is always recommended. |
223 keysize and invokes keytool without a keysize specified. On JDK 6 and |
|
224 earlier, EC is not supported and always skipped. |
|
225 |
|
226 digestAlgs=SHA-1#SHA-256#SHA-384#SHA-512# |
|
227 Specifies the digest algorithms used for both digesting files contained in |
|
228 the JAR file, manifests and signature files as well as certificates (keys) |
|
229 and for TSA. |
|
230 Ignored with TSA for jarsigner versions that don't support '-tsadigestalg' |
|
231 parameter, for digest algorithms specified not to be supported by a TSA |
|
232 server ('digests' sub-option is given to a tsaList item where digest |
|
233 algorithm is not contained in list), or in cases no TSA is used at all |
|
234 ('tsaList=notsa'). |
|
235 Note that the same set of digest algorithms is used in all three places |
|
236 (signing the key, digesting the JAR, and for the TSA) and cannot be |
|
237 specified individually except that some TSAs may exclude some digest |
|
238 algorithms. |
156 |
239 |
157 ##### Examples ##### |
240 ##### Examples ##### |
158 $ cat /path/to/jdkList |
241 $ cat /path/to/jdkList |
159 /path/to/jdk6u171-b05 |
242 /path/to/jdk6u171-b05 |
160 /path/to/jdk7u161-b05 |
243 /path/to/jdk7u161-b05 |
175 http://time.certum.pl |
258 http://time.certum.pl |
176 http://tsa.swisssign.net |
259 http://tsa.swisssign.net |
177 http://zeitstempel.dfn.de |
260 http://zeitstempel.dfn.de |
178 https://tsp.iaik.tugraz.at/tsp/TspRequest |
261 https://tsp.iaik.tugraz.at/tsp/TspRequest |
179 |
262 |
180 $ jtreg -va -nr -timeout:100 \ |
263 $ jtreg -va -nr \ |
181 -jdk:/path/to/latest/jdk \ |
264 -jdk:/path/to/latest/jdk \ |
182 -DproxyHost=<proxy> -DproxyPort=<port> \ |
265 -DproxyHost=<proxy> -DproxyPort=<port> \ |
183 -DjdkListFile=/path/to/jdkList \ |
266 -DjdkListFile=/path/to/jdkList \ |
184 -DtsaListFile=/path/to/tsaList \ |
267 -DtsaListFile=/path/to/tsaList \ |
185 -DdelayVerify=true -DcertValidity=60 \ |
268 -DdelayVerify=true -DcertValidity=60 \ |
186 <JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java |
269 <JDK_REPO>/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java |
187 |
270 |
188 The above is a comprehensive usage example. File "jdkList" lists the paths of |
271 The above is a comprehensive usage example. File "jdkList" lists the paths of |
189 testing JDK builds, and file "tsaList" lists the URLs of TSA services. Some TSAs, |
272 testing JDK builds, and file "tsaList" lists the URLs of TSA services. Some TSAs, |
190 like http://timestamp.entrust.net/TSS/RFC3161sha1TS, specify the supported digest |
273 like http://timestamp.entrust.net/TSS/RFC3161sha1TS, specify the supported digest |
191 algorithms. Other TSAs, which don't specify parameter digests, are regarded to |
274 algorithms. Other TSAs, which don't specify parameter digests, are regarded to |
195 of valid certificates expire and then does verification again. |
278 of valid certificates expire and then does verification again. |
196 |
279 |
197 If don't want to provide such JDK list and TSA list files, the test allows to |
280 If don't want to provide such JDK list and TSA list files, the test allows to |
198 specify JDKs and TSAs (via properties jdkList and tsaList respectively) in the |
281 specify JDKs and TSAs (via properties jdkList and tsaList respectively) in the |
199 command directly, like the below style, |
282 command directly, like the below style, |
200 $ jtreg -va -nr -timeout:100 \ |
283 $ jtreg -va -nr \ |
201 -jdk:/path/to/latest/jdk \ |
284 -jdk:/path/to/latest/jdk \ |
202 -DproxyHost=<proxy> -DproxyPort=<port> \ |
285 -DproxyHost=<proxy> -DproxyPort=<port> \ |
203 -DjdkList=/path/to/jdk6u171-b05#/path/to/jdk7u161-b05#/path/to/jdk8u144-b01#/path/to/jdk9-179 \ |
286 -DjdkList=/path/to/jdk6u171-b05#/path/to/jdk7u161-b05#/path/to/jdk8u144-b01#/path/to/jdk9-179 \ |
204 -DtsaList=http://timestamp.comodoca.com/rfc3161#http://timestamp.entrust.net/TSS/RFC3161sha1TS;digests=SHA-1,SHA-256 \ |
287 -DtsaList=http://timestamp.comodoca.com/rfc3161#http://timestamp.entrust.net/TSS/RFC3161sha1TS;digests=SHA-1,SHA-256 \ |
205 -DdelayVerify=true -DcertValidity=60 \ |
288 -DdelayVerify=true -DcertValidity=60 \ |
206 <JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java |
289 <JDK_REPO>/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java |
207 |
290 |
208 Furthermore, here introduces one of the simplest usages. It doesn't specify any |
291 Furthermore, here introduces one of the simplest usages. It doesn't specify any |
209 JDK list, so the testing JDK, which is specified by jtreg option "-jdk", will |
292 JDK list, so the testing JDK, which is specified by jtreg option "-jdk", will |
210 be tested. And it doesn't apply delay verifying, and no proxy is used, and use |
293 be tested. And it doesn't apply delay verifying, and no proxy is used, and use |
211 only one TSA. Now, the command is pretty simple and looks like the followings, |
294 only one TSA. Now, the command is pretty simple and looks like the followings, |
212 $ jtreg -va -nr -timeout:100 \ |
295 $ jtreg -va -nr \ |
213 -jdk:/path/to/latest/jdk \ |
296 -jdk:/path/to/latest/jdk \ |
214 -DtsaList=http://timestamp.comodoca.com/rfc3161 \ |
297 -DtsaList=http://timestamp.comodoca.com/rfc3161 \ |
215 <JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java |
298 <JDK_REPO>/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java |
|
299 |
|
300 It also works without a tsaList but not without the tsaList argument present |
|
301 in order to prevent it going missing or ignored unnoticed. May be useful for |
|
302 local tests but not recommended for real regression tests. Together with other |
|
303 arguments, a very short running test could be started for example with: |
|
304 $ jtreg -va -nr \ |
|
305 -jdk:/path/to/latest/jdk \ |
|
306 -DtsaList=notsa "-DkeyAlgs=EC;" -DdigestAlgs=SHA-256 -Dexpired=false |
|
307 <JDK_REPO>/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java |