[RFC] netx/plugin: do not prompt user multiple times for the same Certificate

Thu Oct 14 14:03:54 PDT 2010

* Omair Majid <omajid at redhat.com> [2010-10-14 16:37]:
> Hi,
> 
> In the current implementation of the plugin, when the user rejects a
> https certificate, the next time the https connection is attempted,
> another certificate warning is shown.
> 
> The attached patch makes it so that if the user does not accept a
> certificate, he is not prompted again for accepting it. The patch
> keeps a list of certificates that the user has not accepted and
> skips the user prompt if it is for one of those certificates.
> 
> Any comments or suggestions?
> 

Looks fine to me. Okay for commit to all active branches.

Cheers,
Deepak

> Cheers,
> Omair

> diff -r 519a6f970eba netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
> --- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java	Thu Oct 14 15:59:52 2010 -0400
> +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java	Thu Oct 14 16:23:50 2010 -0400
> @@ -66,7 +66,8 @@
>      X509TrustManager userTrustManager = null;
>      X509TrustManager caTrustManager = null;
>  
> -    ArrayList<Certificate> temporarilyTrusted = new ArrayList();
> +    ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
> +    ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
>  
>      static VariableX509TrustManager instance = null;
>  
> @@ -192,11 +193,14 @@
>              if (checkOnly) {
>                  throw ce;
>              } else {
> +                if (!isTemporarilyUntrusted(chain[0])) {
> +                    boolean b = askUser(chain, authType, trusted, CNMatched, hostName);
>  
> -                boolean b = askUser(chain, authType, trusted, CNMatched, hostName);
> -
> -                if (b) {
> -                    temporarilyTrust(chain[0]);
> +                    if (b) {
> +                        temporarilyTrust(chain[0]);
> +                    } else {
> +                        temporarilyUntrust(chain[0]);
> +                    }
>                  }
>  
>                  checkAllManagers(chain, authType);
> @@ -247,6 +251,30 @@
>      }
>  
>      /**
> +     * Temporarily untrust the given cert - do not ask the user to trust this
> +     * certificate again
> +     *
> +     * @param c The certificate to trust
> +     */
> +    private void temporarilyUntrust(Certificate c) {
> +        temporarilyUntrusted.add(c);
> +    }
> +
> +    /**
> +     * Was this certificate explicitly untrusted by user?
> +     *
> +     * @param c the certificate
> +     * @return true if the user was presented with this certificate and chose
> +     * not to trust it
> +     */
> +    private boolean isTemporarilyUntrusted(Certificate c) {
> +        if (temporarilyUntrusted.contains(c)) {
> +            return true;
> +        }
> +        return false;
> +    }
> +
> +    /**
>       * Temporarily trust the given cert (runtime)
>       *
>       * @param c The certificate to trust