You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@river.apache.org by Peter Firmstone <ji...@zeus.net.au> on 2012/02/06 08:19:33 UTC
Re: Jtreg test suite certificates
Good news,
It's fixed! Turns out cloning the existing valid certs was a bad idea,
the keystore got confused and returned the wrong cert, that's all the
problem was. Generating keys and certs is now an automated script too,
it works (at least on Solaris).
Perhaps in February 2022, when the certs need to be regenerated again, I
can be as helpful for the next guy as you were for me ;)
N.B. Running the jtreg tests helped me fix a couple of concurrency bugs
and some corner cases in my new policy provider, so these tests are
still of high value. Oh and the jtreg scripts are now Java 6 compatible.
Now all I have to do is go run all the jtreg and qa tests again and see
if I've broken anything!
Cheers & thanks,
Peter.
bash-3.00$ ant jtreg
Buildfile: build.xml
jtreg:
[mkdir] Created dir:
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
[move] Moving 6 files to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
[move] Moving 1 file to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
[jtreg] Test results: passed: 1
[jtreg] Report written to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html
[jtreg] Results written to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork
[move] Moving 6 files to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib
[move] Moving 1 file to
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext
[delete] Deleting directory
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
[delete] Deleting:
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props
BUILD SUCCESSFUL
Total time: 1 minute 25 seconds
bash-3.00$ keystore.sh
+ rm ./keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US
-keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US
-keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA
+ rm ./truststore
+ cp ./keystore ./truststore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2
-keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -certreq -alias clientDSA2expired -file
clientDSA2expired.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2
-keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -certreq -alias serverRSA2expired -file
serverRSA2expired.request
+ set +x
Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and
serverRSA2expired.req, then import them:
expired certificates need one day to expire before testing.
+ ../../../../../certs/run-ca.sh -CA ./ca.properties
+ ../../../../../certs/run-ca.sh -CA ./ca1.properties
+ ../../../../../certs/run-ca.sh -CR ./ca.properties
+ ../../../../../certs/run-ca.sh -CR ./ca1.properties
+ ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties
+ ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties
+ keytool -keystore ./truststore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias ca -file ca.cert
Certificate was added to keystore
+ keytool -keystore ./truststore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias ca1 -file ca1.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias ca -file ca.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias ca1 -file ca1.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -import -noprompt -alias clientDSA2expired -file
clientDSA2expired.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass
-validity 1 -import -noprompt -alias serverRSA2expired -file
serverRSA2expired.chain
Certificate reply was installed in keystore
bash-3.00$
Tim Blackman wrote:
> On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote:
>
>
>> Well, here's the bad news; the certificate has expired, but the tests still fail. This is the first time these tests have been run under jdk 1.6, to my knowledge at least.
>>
>> The test expects jeri to throw a ConnectIOException, but it doesn't.
>>
>> The good news is, when the server certificate has expired, an IOException is thrown as expected. I have to comment out: "throw new FailedException(" in TestRMI for the expired client test, or FailedException will be thrown before the expired server certificate is is tested.
>>
>> This could indicate the ServerAuthManager could have a problem, since the ClientAuthManager is behaving correctly?
>>
Re: Jtreg test suite certificates
Posted by Peter Firmstone <ji...@zeus.net.au>.
You're welcome, thanks for cudos.
Cheers,
Peter.
Tom Hobbs wrote:
> Well done, Peter. You're a serious work horse on River and we're
> grateful for what you're getting done.
>
> Cheers.
>
> On Mon, Feb 6, 2012 at 7:23 AM, Peter Firmstone <ji...@zeus.net.au> wrote:
>
>> Peter Firmstone wrote:
>>
>>> Good news,
>>>
>>> It's fixed! Turns out cloning the existing valid certs was a bad idea,
>>> the keystore got confused and returned the wrong cert, that's all the
>>> problem was. Generating keys and certs is now an automated script too, it
>>> works (at least on Solaris).
>>>
>>> Perhaps in February 2022, when the certs need to be regenerated again, I
>>> can be as helpful for the next guy as you were for me ;)
>>>
>>> N.B. Running the jtreg tests helped me fix a couple of concurrency bugs
>>> and some corner cases in my new policy provider,
>>>
>> Just to clarify the concurrency bugs weren't in the policy provider, only
>> the corner cases, which dealt with policy delegation and something else I
>> can't remember right now.
>>
>>
>>
>>> so these tests are still of high value. Oh and the jtreg scripts are now
>>> Java 6 compatible.
>>>
>>> Now all I have to do is go run all the jtreg and qa tests again and see if
>>> I've broken anything!
>>>
>>> Cheers & thanks,
>>>
>>> Peter.
>>>
>>> bash-3.00$ ant jtreg
>>> Buildfile: build.xml
>>>
>>> jtreg:
>>> [mkdir] Created dir:
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>>> [move] Moving 6 files to
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>>> [move] Moving 1 file to
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>>> [jtreg] Test results: passed: 1
>>> [jtreg] Report written to
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html
>>> [jtreg] Results written to
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork
>>> [move] Moving 6 files to
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib
>>> [move] Moving 1 file to
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext
>>> [delete] Deleting directory
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>>> [delete] Deleting:
>>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props
>>>
>>> BUILD SUCCESSFUL
>>> Total time: 1 minute 25 seconds
>>>
>>> bash-3.00$ keystore.sh
>>> + rm ./keystore
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US -keyalg
>>> RSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US -keyalg
>>> DSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA
>>> + rm ./truststore
>>> + cp ./keystore ./truststore
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2 -keyalg
>>> DSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 1 -certreq -alias clientDSA2expired -file
>>> clientDSA2expired.request
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2 -keyalg
>>> RSA
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 1 -certreq -alias serverRSA2expired -file
>>> serverRSA2expired.request
>>> + set +x
>>> Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and
>>> serverRSA2expired.req, then import them:
>>> expired certificates need one day to expire before testing.
>>> + ../../../../../certs/run-ca.sh -CA ./ca.properties
>>> + ../../../../../certs/run-ca.sh -CA ./ca1.properties
>>> + ../../../../../certs/run-ca.sh -CR ./ca.properties
>>> + ../../../../../certs/run-ca.sh -CR ./ca1.properties
>>> + ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties
>>> + ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties
>>> + keytool -keystore ./truststore -storepass keypass -keypass keypass
>>> -validity 3650 -import -noprompt -alias ca -file ca.cert
>>> Certificate was added to keystore
>>> + keytool -keystore ./truststore -storepass keypass -keypass keypass
>>> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
>>> Certificate was added to keystore
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -import -noprompt -alias ca -file ca.cert
>>> Certificate was added to keystore
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
>>> Certificate was added to keystore
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain
>>> Certificate reply was installed in keystore
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 1 -import -noprompt -alias clientDSA2expired -file
>>> clientDSA2expired.chain
>>> Certificate reply was installed in keystore
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain
>>> Certificate reply was installed in keystore
>>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>>> -validity 1 -import -noprompt -alias serverRSA2expired -file
>>> serverRSA2expired.chain
>>> Certificate reply was installed in keystore
>>> bash-3.00$
>>>
>>> Tim Blackman wrote:
>>>
>>>> On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote:
>>>>
>>>>
>>>>
>>>>> Well, here's the bad news; the certificate has expired, but the tests
>>>>> still fail. This is the first time these tests have been run under jdk 1.6,
>>>>> to my knowledge at least.
>>>>>
>>>>> The test expects jeri to throw a ConnectIOException, but it doesn't.
>>>>>
>>>>> The good news is, when the server certificate has expired, an
>>>>> IOException is thrown as expected. I have to comment out: "throw new
>>>>> FailedException(" in TestRMI for the expired client test, or FailedException
>>>>> will be thrown before the expired server certificate is is tested.
>>>>>
>>>>> This could indicate the ServerAuthManager could have a problem, since
>>>>> the ClientAuthManager is behaving correctly?
>>>>>
>>>>>
>>>
>
>
Re: Jtreg test suite certificates
Posted by Tom Hobbs <tv...@googlemail.com>.
Well done, Peter. You're a serious work horse on River and we're
grateful for what you're getting done.
Cheers.
On Mon, Feb 6, 2012 at 7:23 AM, Peter Firmstone <ji...@zeus.net.au> wrote:
> Peter Firmstone wrote:
>>
>> Good news,
>>
>> It's fixed! Turns out cloning the existing valid certs was a bad idea,
>> the keystore got confused and returned the wrong cert, that's all the
>> problem was. Generating keys and certs is now an automated script too, it
>> works (at least on Solaris).
>>
>> Perhaps in February 2022, when the certs need to be regenerated again, I
>> can be as helpful for the next guy as you were for me ;)
>>
>> N.B. Running the jtreg tests helped me fix a couple of concurrency bugs
>> and some corner cases in my new policy provider,
>
>
> Just to clarify the concurrency bugs weren't in the policy provider, only
> the corner cases, which dealt with policy delegation and something else I
> can't remember right now.
>
>
>> so these tests are still of high value. Oh and the jtreg scripts are now
>> Java 6 compatible.
>>
>> Now all I have to do is go run all the jtreg and qa tests again and see if
>> I've broken anything!
>>
>> Cheers & thanks,
>>
>> Peter.
>>
>> bash-3.00$ ant jtreg
>> Buildfile: build.xml
>>
>> jtreg:
>> [mkdir] Created dir:
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>> [move] Moving 6 files to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>> [move] Moving 1 file to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>> [jtreg] Test results: passed: 1
>> [jtreg] Report written to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html
>> [jtreg] Results written to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork
>> [move] Moving 6 files to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib
>> [move] Moving 1 file to
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext
>> [delete] Deleting directory
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>> [delete] Deleting:
>> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props
>>
>> BUILD SUCCESSFUL
>> Total time: 1 minute 25 seconds
>>
>> bash-3.00$ keystore.sh
>> + rm ./keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US -keyalg
>> RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US -keyalg
>> DSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA
>> + rm ./truststore
>> + cp ./keystore ./truststore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2 -keyalg
>> DSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -certreq -alias clientDSA2expired -file
>> clientDSA2expired.request
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2 -keyalg
>> RSA
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -certreq -alias serverRSA2expired -file
>> serverRSA2expired.request
>> + set +x
>> Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and
>> serverRSA2expired.req, then import them:
>> expired certificates need one day to expire before testing.
>> + ../../../../../certs/run-ca.sh -CA ./ca.properties
>> + ../../../../../certs/run-ca.sh -CA ./ca1.properties
>> + ../../../../../certs/run-ca.sh -CR ./ca.properties
>> + ../../../../../certs/run-ca.sh -CR ./ca1.properties
>> + ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties
>> + ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties
>> + keytool -keystore ./truststore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias ca -file ca.cert
>> Certificate was added to keystore
>> + keytool -keystore ./truststore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
>> Certificate was added to keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias ca -file ca.cert
>> Certificate was added to keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
>> Certificate was added to keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain
>> Certificate reply was installed in keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -import -noprompt -alias clientDSA2expired -file
>> clientDSA2expired.chain
>> Certificate reply was installed in keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain
>> Certificate reply was installed in keystore
>> + keytool -keystore ./keystore -storepass keypass -keypass keypass
>> -validity 1 -import -noprompt -alias serverRSA2expired -file
>> serverRSA2expired.chain
>> Certificate reply was installed in keystore
>> bash-3.00$
>>
>> Tim Blackman wrote:
>>>
>>> On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote:
>>>
>>>
>>>>
>>>> Well, here's the bad news; the certificate has expired, but the tests
>>>> still fail. This is the first time these tests have been run under jdk 1.6,
>>>> to my knowledge at least.
>>>>
>>>> The test expects jeri to throw a ConnectIOException, but it doesn't.
>>>>
>>>> The good news is, when the server certificate has expired, an
>>>> IOException is thrown as expected. I have to comment out: "throw new
>>>> FailedException(" in TestRMI for the expired client test, or FailedException
>>>> will be thrown before the expired server certificate is is tested.
>>>>
>>>> This could indicate the ServerAuthManager could have a problem, since
>>>> the ClientAuthManager is behaving correctly?
>>>>
>>
>>
>
Re: Jtreg test suite certificates
Posted by Peter Firmstone <ji...@zeus.net.au>.
Peter Firmstone wrote:
> Good news,
>
> It's fixed! Turns out cloning the existing valid certs was a bad
> idea, the keystore got confused and returned the wrong cert, that's
> all the problem was. Generating keys and certs is now an automated
> script too, it works (at least on Solaris).
>
> Perhaps in February 2022, when the certs need to be regenerated again,
> I can be as helpful for the next guy as you were for me ;)
>
> N.B. Running the jtreg tests helped me fix a couple of concurrency
> bugs and some corner cases in my new policy provider,
Just to clarify the concurrency bugs weren't in the policy provider,
only the corner cases, which dealt with policy delegation and something
else I can't remember right now.
> so these tests are still of high value. Oh and the jtreg scripts are
> now Java 6 compatible.
>
> Now all I have to do is go run all the jtreg and qa tests again and
> see if I've broken anything!
>
> Cheers & thanks,
>
> Peter.
>
> bash-3.00$ ant jtreg
> Buildfile: build.xml
>
> jtreg:
> [mkdir] Created dir:
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
> [move] Moving 6 files to
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
> [move] Moving 1 file to
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
> [jtreg] Test results: passed: 1
> [jtreg] Report written to
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html
>
> [jtreg] Results written to
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork
> [move] Moving 6 files to
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib
> [move] Moving 1 file to
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext
> [delete] Deleting directory
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
> [delete] Deleting:
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props
>
> BUILD SUCCESSFUL
> Total time: 1 minute 25 seconds
>
> bash-3.00$ keystore.sh
> + rm ./keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US
> -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US
> -keyalg DSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA
> + rm ./truststore
> + cp ./keystore ./truststore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2
> -keyalg DSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 1 -certreq -alias clientDSA2expired -file
> clientDSA2expired.request
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2
> -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 1 -certreq -alias serverRSA2expired -file
> serverRSA2expired.request
> + set +x
> Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and
> serverRSA2expired.req, then import them:
> expired certificates need one day to expire before testing.
> + ../../../../../certs/run-ca.sh -CA ./ca.properties
> + ../../../../../certs/run-ca.sh -CA ./ca1.properties
> + ../../../../../certs/run-ca.sh -CR ./ca.properties
> + ../../../../../certs/run-ca.sh -CR ./ca1.properties
> + ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties
> + ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties
> + keytool -keystore ./truststore -storepass keypass -keypass keypass
> -validity 3650 -import -noprompt -alias ca -file ca.cert
> Certificate was added to keystore
> + keytool -keystore ./truststore -storepass keypass -keypass keypass
> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
> Certificate was added to keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -import -noprompt -alias ca -file ca.cert
> Certificate was added to keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
> Certificate was added to keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain
> Certificate reply was installed in keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 1 -import -noprompt -alias clientDSA2expired -file
> clientDSA2expired.chain
> Certificate reply was installed in keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain
> Certificate reply was installed in keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass
> -validity 1 -import -noprompt -alias serverRSA2expired -file
> serverRSA2expired.chain
> Certificate reply was installed in keystore
> bash-3.00$
>
> Tim Blackman wrote:
>> On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote:
>>
>>
>>> Well, here's the bad news; the certificate has expired, but the
>>> tests still fail. This is the first time these tests have been run
>>> under jdk 1.6, to my knowledge at least.
>>>
>>> The test expects jeri to throw a ConnectIOException, but it doesn't.
>>>
>>> The good news is, when the server certificate has expired, an
>>> IOException is thrown as expected. I have to comment out: "throw
>>> new FailedException(" in TestRMI for the expired client test, or
>>> FailedException will be thrown before the expired server certificate
>>> is is tested.
>>>
>>> This could indicate the ServerAuthManager could have a problem,
>>> since the ClientAuthManager is behaving correctly?
>>>
>
Re: Jtreg test suite certificates
Posted by Tim Blackman <ti...@gmail.com>.
On Feb 6, 2012, at 2:19 AM, Peter Firmstone wrote:
> Good news,
>
> It's fixed! Turns out cloning the existing valid certs was a bad idea, the keystore got confused and returned the wrong cert, that's all the problem was. Generating keys and certs is now an automated script too, it works (at least on Solaris).
>
> Perhaps in February 2022, when the certs need to be regenerated again, I can be as helpful for the next guy as you were for me ;)
:-)
Glad this all worked out in the end.
- Tim