[icedtea-web] RFC: integrate support for multiple KeyStores into the various validators

[Omair Majid]

Hi,

The attached patch makes the various parts of netx that determine  which 
certificates are trusted use the multiple keystores are that are now 
available.

The patch modifies VariableX509TrustManager, HTTPSCertVerfier, and 
JarSigner to use these certificate stores.

The KeyTool class is almost completely unused after this patch. I would 
like to remove it at some point in the future.

ChangeLog:
2010-11-09  Omair Majid  <omajid at redhat.com>

     * netx/net/sourceforge/jnlp/runtime/Boot.java (main): Move trust
     manager initialization code into JNLPRuntime.initialize.
     * plugin/icedteanp/java/sun/applet/PluginMain.java
     (init): Likewise.
     * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java (initialize):
     Set the default SSL TrustManager here.
     * netx/net/sourceforge/jnlp/security/CertWarningPane.java
     (CheckBoxListener.actionPerformed): Add this certificate into
     user's trusted certificate store.
     * netx/net/sourceforge/jnlp/tools/KeyTool.java
     (addToKeyStore(File,KeyStore)): Move to CertificateUtils.
     (addToKeyStore(X509Certificate,KeyStore)): Likewise.
     (dumpCert): Likewise.
     * netx/net/sourceforge/jnlp/security/CertificateUtils.java: New
     class.
     (addToKeyStore(File,KeyStore)): Moved from KeyTool.
     (addToKeyStore(X509Certificate,KeyStore)): Likewise.
     (dumpCert): Likewise.
     (inKeyStores): New method.
     * netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java
     (getRootInCacerts): Check all available CA store to check if
     root is in CA certificates.
     * netx/net/sourceforge/jnlp/security/KeyStores.java
     (getClientKeyStores): New method.
     * netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
     (VariableX509TrustManager): Initialize multiple CA, certificate and
     client trust managers.
     (checkClientTrusted): Check all the client TrustManagers if
     certificate is trusted.
     (checkAllManagers): Check multiple CA certificates and trusted
     certificates to determine if the certificate chain can be trusted.
     (isExplicitlyTrusted): Check with multiple TrustManagers.
     (getAcceptedIssuers): Gather results from multiple TrustManagers.
     * netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java
     (ImportButtonListener): Use CertificateUtils instead of KeyTool.
     * netx/net/sourceforge/jnlp/tools/JarSigner.java
     (checkTrustedCerts): Use multiple key stores to check if certificate
     is directly trusted and if the root is trusted.

Any thoughts or comments?

Cheers,
Omair
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icedtea-web-variablex509trustmanager-mutilple-keystores-02.patch
Type: text/x-patch
Size: 31711 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20101110/c3401d93/icedtea-web-variablex509trustmanager-mutilple-keystores-02.patch