river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <j...@zeus.net.au>
Subject Re: Jtreg test suite certificates
Date Mon, 06 Feb 2012 07:19:33 GMT
Good news,

It's fixed!  Turns out cloning the existing valid certs was a bad idea, 
the keystore got confused and returned the wrong cert, that's all the 
problem was.  Generating keys and certs is now an automated script too, 
it works (at least on Solaris).

Perhaps in February 2022, when the certs need to be regenerated again, I 
can be as helpful for the next guy as you were for me ;)

N.B. Running the jtreg tests helped me fix a couple of concurrency bugs 
and some corner cases in my new policy provider, so these tests are 
still of high value.  Oh and the jtreg scripts are now Java 6 compatible.

Now all I have to do is go run all the jtreg and qa tests again and see 
if I've broken anything!

Cheers & thanks,

Peter.

bash-3.00$ ant jtreg
Buildfile: build.xml

jtreg:
    [mkdir] Created dir: 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
     [move] Moving 6 files to 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
     [move] Moving 1 file to 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
    [jtreg] Test results: passed: 1
    [jtreg] Report written to 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html
    [jtreg] Results written to 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork
     [move] Moving 6 files to 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib
     [move] Moving 1 file to 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext
   [delete] Deleting directory 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
   [delete] Deleting: 
/opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props

BUILD SUCCESSFUL
Total time: 1 minute 25 seconds

bash-3.00$ keystore.sh
+ rm ./keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US 
-keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US 
-keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA
+ rm ./truststore
+ cp ./keystore ./truststore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2 
-keyalg DSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 1 -certreq -alias clientDSA2expired -file 
clientDSA2expired.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2 
-keyalg RSA
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 1 -certreq -alias serverRSA2expired -file 
serverRSA2expired.request
+ set +x
Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and 
serverRSA2expired.req, then import them:
expired certificates need one day to expire before testing.
+ ../../../../../certs/run-ca.sh -CA ./ca.properties
+ ../../../../../certs/run-ca.sh -CA ./ca1.properties
+ ../../../../../certs/run-ca.sh -CR ./ca.properties
+ ../../../../../certs/run-ca.sh -CR ./ca1.properties
+ ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties
+ ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties
+ keytool -keystore ./truststore -storepass keypass -keypass keypass 
-validity 3650 -import -noprompt -alias ca -file ca.cert
Certificate was added to keystore
+ keytool -keystore ./truststore -storepass keypass -keypass keypass 
-validity 3650 -import -noprompt -alias ca1 -file ca1.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -import -noprompt -alias ca -file ca.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -import -noprompt -alias ca1 -file ca1.cert
Certificate was added to keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 1 -import -noprompt -alias clientDSA2expired -file 
clientDSA2expired.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain
Certificate reply was installed in keystore
+ keytool -keystore ./keystore -storepass keypass -keypass keypass 
-validity 1 -import -noprompt -alias serverRSA2expired -file 
serverRSA2expired.chain
Certificate reply was installed in keystore
bash-3.00$

Tim Blackman wrote:
> On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote:
>
>   
>> Well, here's the bad news; the certificate has expired, but the tests still fail.
 This is the first time these tests have been run under jdk 1.6, to my knowledge at least.
>>
>> The test expects jeri to throw a ConnectIOException, but it doesn't.
>>
>> The good news is, when the server certificate has expired, an IOException is thrown
as expected.  I have to comment out:  "throw new FailedException(" in TestRMI for the expired
client test, or FailedException will be thrown before the expired server certificate is is
tested.
>>
>> This could indicate the ServerAuthManager could have a problem, since the ClientAuthManager
is behaving correctly?
>>     

Mime
View raw message