George Harley wrote: <snip> > The post I want to refer to does not seem to be in the > mailing list archive (!!??!)
I don't remember you saying that (and I would have remembered such an eloquent and considered post ;-) ) I still have mail that far back in my reader, and it looks like I didn't get it either. Maybe it never hit the list. p.s. +1 to the comment BTW Regards, Tim > so let me copy the relevant text in-line > here as I believe that what it says is important : > > --- snip from dev-list append of 1st Feb 2006 by > [EMAIL PROTECTED] --- > > Just to clarify your clarification of the question of current Harmony > behaviour ... > > (A) With the current Harmony build it looks like there is *no attempt* > to verify the signature of a signed jar file that has been placed on the > bootclasspath. I know this because I took a signed BC provider jar (as > downloaded from http://www.bouncycastle.org), deliberately tampered with > the .SF file in the META-INF folder by removing a few lines, then added > the modified jar to the bootclasspath of a simple program that listed > the algorithms supported by the BC provider. Everything worked fine. > > (B) With the current Harmony build it looks like an attempt is made at > verifying the signature of a signed jar in the jre/lib/ext directory. > The attempt fails because it involves trying to use functionality > exported by the jar currently being verified and so opens up a whole > problem with cycles. > To my mind, (B) is a definite bug that would be fixed by having a > default Harmony provider. The result of my little bit of playing with > (A) just reinforces the argument that relying on the bootclasspath to > load your third party providers is not er ... secure. > > > --- end of snip from dev-list append of 1st Feb 2006 by > [EMAIL PROTECTED] --- > > > Best regards, > George > IBM UK > > > Geir Magnusson Jr wrote: >> >> >> Tim Ellison wrote: >>> Arghhh! >>> >>> make it stop >>> >>>> From below: >>> -Xbootclasspath/a:${build.path}/tests${path.separator}${env.CLASSPATH} >>> >>> >>> putting the CLASSPATH onto the bootclasspath. What are you smokin' ?! >> >> That was the patch :) >> >> All that really is supposed to do is get junit and bcprov there. I'll >> move. >> >> geir >> >>> >>> >>> [ I know you are fixing this stuff, but I needed to vent ] >>> >>> >>> -------- Original Message -------- >>> Subject: svn commit: r376144 - >>> /incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml >>> >>> Date: Thu, 09 Feb 2006 01:44:21 -0000 >>> From: [EMAIL PROTECTED] >>> Reply-To: harmony-dev@incubator.apache.org >>> To: [EMAIL PROTECTED] >>> >>> Author: geirm >>> Date: Wed Feb 8 17:44:19 2006 >>> New Revision: 376144 >>> >>> URL: http://svn.apache.org/viewcvs?rev=376144&view=rev >>> Log: >>> put the bootclasspath stuff back for classlib tests >>> because as I'm renaming some tests, it appears that >>> when things reordered, tests broke. On a lark, I put >>> it back, and things work. Scary. >>> >>> Will investigate further, but wanted to fix so tests run >>> >>> Also, changed one of the exclusion lists due to renaming. >>> >>> >>> Modified: >>> >>> incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml >>> >>> >>> Modified: >>> incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml >>> >>> URL: >>> http://svn.apache.org/viewcvs/incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml?rev=376144&r1=376143&r2=376144&view=diff >>> >>> ============================================================================== >>> >>> --- >>> incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml >>> >>> (original) >>> +++ >>> incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml >>> >>> Wed Feb 8 17:44:19 2006 >>> @@ -499,6 +499,8 @@ >>> <env key="JAVA_HOME" value="${vm.home}"/> >>> >>> <!-- to pick up junit.jar and bouncycastle.jar --> >>> + <jvmarg >>> value="-Xbootclasspath/p:${build.jars.path}/crypto.jar${path.separator}${build.jars.path}/x_net.jar"/> >>> >>> + >>> <jvmarg >>> value="-Xbootclasspath/a:${build.path}/tests${path.separator}${env.CLASSPATH}"/> >>> >>> >>> <jvmarg >>> value="-Djava.security.properties==${build.lib.path}/security/java.security"/> >>> >>> @@ -518,7 +520,7 @@ >>> <exclude >>> name="org/apache/harmony/security/test/**"/> >>> <!-- Harmony exclude list --> >>> - <exclude >>> name="java/security/AlgorithmParameterGeneratorTest1.java"/> >>> + <exclude >>> name="java/security/AlgorithmParameterGenerator1Test.java"/> >>> <exclude name="java/security/KSBuilderTest.java"/> >>> <exclude >>> name="java/security/KeyPairGeneratorTest1.java"/> >>> <exclude >>> name="java/security/KeyPairGeneratorTest3.java"/> >>> >>> >>> >>> >> > > -- Tim Ellison ([EMAIL PROTECTED]) IBM Java technology centre, UK.
