jdk-sandbox: comparison jdk/test/sun/security/tools/jarsigner/compatibility/README

equal deleted inserted replaced

-:a6288a07bb53
+:79e8a865c5b8
+# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+##### Summary #####
+This test is used to verify the compatibility on jarsigner cross different JDK
+releases. It also can be used to check jar signing (w/ and w/o TSA) and verifying
+on some specific key algorithms and digest algorithms.
+##### Output #####
+The test will generate a report, at JTwork/scratch/report.html, to display the
+key parameters for signing and the status of signing and verifying. And it will
+generate another report, at JTwork/scratch/failedReport.html, to collect all of
+failed cases.
+Please note that, the test may output a great deal of logs if the jdk list and
+TSA list are big, and that would lead to jtreg output overflow. So, it redirects
+stdout and stderr to file JTwork/scratch/details.out.
+##### Report Columns #####
+Certificate
+Certificate identifier. The identifier consists of specific attributes of
+the certificate. Generally, the naming convention is:
+KeyAlgorithm_DigestAlgorithm_[KeySize][_Expired]
+Signer JDK
+The JDK version that signs jar.
+Signature Algorithm
+The signature algorithm used by signing.
+TSA Digest
+The timestamp digest algorithm used by signing.
+TSA
+TSA URL index. All of TSA URLs and their indices can be found at the top
+of this report.
+Signing Status
+Signing process result status. The status are the followings:
+[1]NONE, no action.
+[2]NORMAL, no any error and warning.
+[3]WARNING, no any error but some warnings raise.
+[4]ERROR, some errors raise.
+Verifier JDK
+The JDK version that verifies signed jars.
+Verifying Status
+Verifying process result status. The status are the same as those for
+"Status of Signing".
+Delay Verifying Status
+Delay verifying process result status. The status are the same as those
+for "Status of Signing".
+Failed
+It highlights which case fails. The failed cases (rows) are marked with
+letter X.
+##### Usages #####
+jtreg [-options] \
+-jdk:<path/to/testing/JDK>
+[-DproxyHost=<host> \
+-DproxyPort=<port> \
+-DtsaListFile=</url/to/tsaListFile> \
+-DtsaList=</path/to/tsa1#/path/to/tsa2#/path/to/tsa3#...> \
+-DjdkListFile=</path/to/jdkListFile> \
+-DjdkList=</path/to/jdk1#/path/to/jdk2#/path/to/jdk3#...> \
+-DjavaSecurityFile=</path/to/java/security/properties/file> \
+-DdelayVerify=<true|false> \
+-DcertValidity=<[1, 1440]>] \
+<JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java
+Besides the common jtreg options, like -jdk, this test introduces a set of
+properties for receiving users' inputs and making the test more flexible. These
+properties are:
+proxyHost=<host>
+This property indicates proxy host.
+proxyPort=<port>
+This property indicates proxy port. The default value is 80.
+tsaListFile=</path/to/tsaListFile>
+This property indicates a local file, which contains a set of TSA URLs and
+the supported digest algorithms (by optional parameter digests). The format
+of the file content looks like the below,
+http://path/to/tsa1
+http://path/to/tsa2;digests=SHA-1,SHA-256
+https://path/to/tsa3
+...
+If a TSA line does not list the supported digest algorithms, that means
+the TSA supports SHA-1, SHA-256 and SHA-512. Because the test only focus
+on SHA-1, SHA-256 and SHA-512. So, if other digest algorithms, like SHA-224
+and SHA-384, are listed, they just be ignored.
+tsaList=</path/to/tsa1#/path/to/tsa2;digests=SHA-1,SHA-256#...>
+This property directly lists a set of TSAs in command. "#" is the delimiter.
+Note that, if both of tsaListFile and tsaList are specified, only property
+jdkListFile is selected. If neither of tsaListFile and tsaList is specified,
+the test will fails immediately.
+jdkListFile=</path/to/jdkListFile>
+This property indicates a local file, which contains a set of local JDK
+paths. The style of the file content looks like the below,
+/path/to/jdk1
+/path/to/jdk2
+/path/to/jdk3
+...
+jdkList=</path/to/jdk1#/path/to/jdk2#/path/to/jdk3#...>
+This property directly lists a set of local JDK paths in command. "#" is
+the delimiter.
+Note that, if both of jdkListFile and jdkList are specified, only property
+jdkListFile is selected. If neither of jdkListFile nor jdkList is specified,
+the testing JDK, which is specified by jtreg option -jdk will be used as
+the only one JDK in the JDK list.
+javaSecurityFile=</path/to/java/security/properties/file>
+This property indicates an alternative java security properties file. The
+default file is the path of file java.scurity that is distributed with
+this test.
+delayVerify=<true|false>
+This property indicates if doing an additional verifying after all of valid
+certificates expire. The default value is false.
+certValidity=<[1, 1440]>
+This property indicates the remaining validity period in minutes for valid
+certificates. The value range is [1, 1440]. The default value is 1440.
+Note that, if delayVerify is false, this property doesn't take effect.
+The testing JDK, which is specified by jtreg option "-jdk", should include the
+fix for JDK-8163304. Otherwise, the signature algorithm and timestamp digest
+algorithm cannot be extracted from verification output. And this JDK should
+support as many as possible signature algorithms. Anyway the latest JDK build
+is always recommended.
+##### Examples #####
+$ cat /path/to/jdkList
+/path/to/jdk6u171-b05
+/path/to/jdk7u161-b05
+/path/to/jdk8u144-b01
+/path/to/jdk9-179
+$ cat /path/to/tsaList
+http://timestamp.comodoca.com/rfc3161
+http://sha256timestamp.ws.symantec.com/sha256/timestamp
+http://tsa.starfieldtech.com
+http://timestamp.entrust.net/TSS/RFC3161sha1TS;digests=SHA-1,SHA-256
+http://timestamp.entrust.net/TSS/RFC3161sha2TS;digests=SHA-1,SHA-256
+http://rfc3161timestamp.globalsign.com/advanced;digests=SHA-256,SHA-512
+http://rfc3161timestamp.globalsign.com/standard
+http://timestamp.globalsign.com/scripts/timstamp.dll
+http://timestamp.globalsign.com/?signature=sha2;digests=SHA-256,SHA-512
+http://timestamp.digicert.com
+http://time.certum.pl
+http://tsa.swisssign.net
+http://zeitstempel.dfn.de
+https://tsp.iaik.tugraz.at/tsp/TspRequest
+$ jtreg -va -nr -timeout:100 \
+-jdk:/path/to/latest/jdk \
+-DproxyHost=<proxy> -DproxyPort=<port> \
+-DjdkListFile=/path/to/jdkList \
+-DtsaListFile=/path/to/tsaList \
+-DdelayVerify=true -DcertValidity=60 \
+<JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java
+The above is a comprehensive usage example. File "jdkList" lists the paths of
+testing JDK builds, and file "tsaList" lists the URLs of TSA services. Some TSAs,
+like http://timestamp.entrust.net/TSS/RFC3161sha1TS, specify the supported digest
+algorithms. Other TSAs, which don't specify parameter digests, are regarded to
+support SHA-1, SHA-256 and SHA-512. The test uses a proxy to access TSA services.
+And it enables delay verifying and set the certificate validity period to 60
+minutes. So, after the first verification is done, the test will wait for all
+of valid certificates expire and then does verification again.
+If don't want to provide such JDK list and TSA list files, the test allows to
+specify JDKs and TSAs (via properties jdkList and tsaList respectively) in the
+command directly, like the below style,
+$ jtreg -va -nr -timeout:100 \
+-jdk:/path/to/latest/jdk \
+-DproxyHost=<proxy> -DproxyPort=<port> \
+-DjdkList=/path/to/jdk6u171-b05#/path/to/jdk7u161-b05#/path/to/jdk8u144-b01#/path/to/jdk9-179 \
+-DtsaList=http://timestamp.comodoca.com/rfc3161#http://timestamp.entrust.net/TSS/RFC3161sha1TS;digests=SHA-1,SHA-256 \
+-DdelayVerify=true -DcertValidity=60 \
+<JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java
+Furthermore, here introduces one of the simplest usages. It doesn't specify any
+JDK list, so the testing JDK, which is specified by jtreg option "-jdk", will
+be tested. And it doesn't apply delay verifying, and no proxy is used, and use
+only one TSA. Now, the command is pretty simple and looks like the followings,
+$ jtreg -va -nr -timeout:100 \
+-jdk:/path/to/latest/jdk \
+-DtsaList=http://timestamp.comodoca.com/rfc3161 \
+<JDK_REPO>/jdk/test/sun/security/tools/jarsigner/compatibility/Compatibility.java