# HG changeset patch # User weijun # Date 1555208576 -28800 # Node ID ac56154f0b9e25487d596e10859c0f2558136051 # Parent 96d290a7e94fb8793baf5432c21c3c934041dbc9 8222275: sun/security/tools/keytool/Serial64.java: assertTrue: expected true, was false Reviewed-by: xuelei diff -r 96d290a7e94f -r ac56154f0b9e test/jdk/sun/security/tools/keytool/Serial64.java --- a/test/jdk/sun/security/tools/keytool/Serial64.java Fri Apr 12 14:13:31 2019 -0700 +++ b/test/jdk/sun/security/tools/keytool/Serial64.java Sun Apr 14 10:22:56 2019 +0800 @@ -23,15 +23,13 @@ /* * @test - * @bug 8221257 + * @bug 8221257 8222275 * @summary Improve serial number generation mechanism for keytool -gencert * @library /test/lib * @key randomness */ -import jdk.test.lib.Asserts; import jdk.test.lib.SecurityTools; -import jdk.test.lib.process.OutputAnalyzer; import java.io.File; import java.io.FileInputStream; @@ -39,57 +37,59 @@ import java.security.KeyStore; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.List; public class Serial64 { - static List numbers = new ArrayList<>(); - public static void main(String[] args) throws Exception { - // 10 Self-signed certs and issued certs - genkeypair("ca"); - genkeypair("user"); - for (int i = 0; i < 8; i++) { - gencert("ca", "user"); + boolean see64 = false; + + see64 |= see64(genkeypair("ca")); + see64 |= see64(genkeypair("user")); + + keytool("-certreq -alias user -file req"); + + for (int i = 3; i <= 30; i++) { + see64 |= see64(gencert()); + if (i >= 10 && see64) { + // As long as we have generated >=10 (non-negative) SNs and + // at least one is 64 bit it's good to go. + return; + } } - numbers.forEach(b -> System.out.println(b.toString(16))); - - // Must be positive, therefore never zero. - Asserts.assertTrue(numbers.stream() - .allMatch(b -> b.signum() == 1)); - - // At least one should be 64 bit. There is a chance of - // 2^-10 this would fail. - Asserts.assertTrue(numbers.stream() - .anyMatch(b -> b.bitLength() == 64)); + // None is 64 bit. There is a chance of 2^-30 we reach here. + // Or, maybe we do have a bug? + throw new RuntimeException("No 64-bit serial number"); } - static OutputAnalyzer keytool(String s) throws Exception { - return SecurityTools.keytool( - "-storepass changeit -keypass changeit " - + "-keystore ks -keyalg rsa " + s); + static boolean see64(BigInteger sn) { + System.out.println(sn.toString(16)); + + if (sn.signum() != 1) { + throw new RuntimeException("Must be positive"); + } + return sn.bitLength() == 64; } - static void genkeypair(String a) throws Exception { - keytool("-genkeypair -alias " + a + " -dname CN=" + a) + static void keytool(String s) throws Exception { + SecurityTools.keytool("-storepass changeit -keypass changeit " + + "-keystore ks -keyalg rsa " + s) .shouldHaveExitValue(0); - numbers.add(((X509Certificate)KeyStore.getInstance( - new File("ks"), "changeit".toCharArray()) - .getCertificate(a)).getSerialNumber()); } - static void gencert(String signer, String owner) - throws Exception { - keytool("-certreq -alias " + owner + " -file req") - .shouldHaveExitValue(0); - keytool("-gencert -alias " + signer + " -infile req -outfile cert") - .shouldHaveExitValue(0); + static BigInteger genkeypair(String a) throws Exception { + keytool("-genkeypair -alias " + a + " -dname CN=" + a); + return ((X509Certificate)KeyStore.getInstance( + new File("ks"), "changeit".toCharArray()) + .getCertificate(a)).getSerialNumber(); + } + + static BigInteger gencert() throws Exception { + keytool("-gencert -alias ca -infile req -outfile cert"); try (FileInputStream fis = new FileInputStream("cert")) { - numbers.add(((X509Certificate)CertificateFactory.getInstance("X.509") - .generateCertificate(fis)).getSerialNumber()); + return ((X509Certificate)CertificateFactory.getInstance("X.509") + .generateCertificate(fis)).getSerialNumber(); } } }