[icedtea-web 1.0] RFC: backport fix for RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
Deepak Bhole
dbhole at redhat.com
Fri Apr 1 08:04:57 PDT 2011
* Omair Majid <omajid at redhat.com> [2011-04-01 11:00]:
> Hi,
>
> The two attached patches are backports of the fix for RH677772 in
> HEAD. I would like to apply the fix to the 1.0 branch too. Does
> anyone have any issues or concerns?
>
I don't have any issues. Please go ahead and commit.
Cheers,
Deepak
> Cheers,
> Omair
> diff -r 04a9055a491d ChangeLog
> --- a/ChangeLog Tue Mar 29 15:14:13 2011 +0100
> +++ b/ChangeLog Fri Apr 01 10:49:40 2011 -0400
> @@ -1,3 +1,18 @@
> +2011-02-23 Omair Majid <omajid at redhat.com>
> +
> + RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
> + * NEWS: Update with bugfix.
> + * netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java: Add new field
> + jreExtDir.
> + (JNLPPolicy): Initialize jreExtDir.
> + (getPermissions): Grant AllPermissions if the CodeSourse is a system jar.
> + (isSystemJar): New method.
> + * netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
> + (checkPermission): Remove special casing of
> + SecurityPermission("putProviderProperty.SunJCE") and
> + SecurityPermission("accessClassInPackage.sun.security.internal.spec").
> + (inTrustedCallChain): Remove.
> +
> 2010-03-29 Andrew John Hughes <ahughes at redhat.com>
>
> * NEWS: Updated.
> diff -r 04a9055a491d NEWS
> --- a/NEWS Tue Mar 29 15:14:13 2011 +0100
> +++ b/NEWS Fri Apr 01 10:49:40 2011 -0400
> @@ -11,6 +11,7 @@
> New in release 1.0.2 (2011-XX-XX):
> * Common Fixes and Improvements
> - PR638: JNLPClassLoader.loadClass(String name) can return null
> + - RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
> * Plugin
> - PR612: NetDania application ends on java.security.AccessControlException: access denied (java.util.PropertyPermission browser read)
> - Replace binary PDF documentation with editable HTML version.
> diff -r 04a9055a491d netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java Tue Mar 29 15:14:13 2011 +0100
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java Fri Apr 01 10:49:40 2011 -0400
> @@ -16,6 +16,7 @@
>
> package net.sourceforge.jnlp.runtime;
>
> +import java.io.File;
> import java.security.*;
> import java.util.Enumeration;
>
> @@ -40,10 +41,15 @@
> /** the previous policy */
> private static Policy systemPolicy;
>
> + private final String jreExtDir;
> +
> protected JNLPPolicy() {
> shellSource = JNLPPolicy.class.getProtectionDomain().getCodeSource();
> systemSource = Policy.class.getProtectionDomain().getCodeSource();
> systemPolicy = Policy.getPolicy();
> +
> + String jre = System.getProperty("java.home");
> + jreExtDir = jre + File.separator + "lib" + File.separator + "ext";
> }
>
> /**
> @@ -54,6 +60,10 @@
> if (source.equals(systemSource) || source.equals(shellSource))
> return getAllPermissions();
>
> + if (isSystemJar(source)) {
> + return getAllPermissions();
> + }
> +
> // if we check the SecurityDesc here then keep in mind that
> // code can add properties at runtime to the ResourcesDesc!
> if (JNLPRuntime.getApplication() != null) {
> @@ -76,6 +86,23 @@
> return systemPolicy.getPermissions(source);
> }
>
> +
> + /**
> + * Returns true if the CodeSource corresponds to a system jar. That is,
> + * it's part of the JRE.
> + */
> + private boolean isSystemJar(CodeSource source) {
> + // anything in JRE/lib/ext is a system jar and has full permissions
> + String sourceProtocol = source.getLocation().getProtocol();
> + String sourcePath = source.getLocation().getPath();
> + if (sourceProtocol.toUpperCase().equals("FILE") &&
> + sourcePath.startsWith(jreExtDir)) {
> + return true;
> + }
> +
> + return false;
> + }
> +
> /**
> * Refresh.
> */
> diff -r 04a9055a491d netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Tue Mar 29 15:14:13 2011 +0100
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Apr 01 10:49:40 2011 -0400
> @@ -311,27 +311,6 @@
> }
> }
> }
> -
> - } else if (perm instanceof SecurityPermission) {
> - tmpPerm = perm;
> -
> - // JCE's initialization requires putProviderProperty permission
> - if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) {
> - if (inTrustedCallChain("com.sun.crypto.provider.SunJCE", "run")) {
> - return;
> - }
> - }
> -
> - } else if (perm instanceof RuntimePermission) {
> - tmpPerm = perm;
> -
> - // KeyGenerator's init method requires internal spec access
> - if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) {
> - if (inTrustedCallChain("javax.crypto.KeyGenerator", "init")) {
> - return;
> - }
> - }
> -
> } else {
> tmpPerm = perm;
> }
> @@ -356,34 +335,6 @@
> }
>
> /**
> - * Returns weather the given class and method are in the current stack,
> - * and whether or not everything upto then is trusted
> - *
> - * @param className The name of the class to look for in the stack
> - * @param methodName The name of the method for the given class to look for in the stack
> - * @return Weather or not class::method() are in the chain, and everything upto there is trusted
> - */
> - private boolean inTrustedCallChain(String className, String methodName) {
> -
> - StackTraceElement[] stack = Thread.currentThread().getStackTrace();
> -
> - for (int i = 0; i < stack.length; i++) {
> -
> - // Everything up to the desired class/method must be trusted
> - if (!stack[i].getClass().getProtectionDomain().implies(new AllPermission())) {
> - return false;
> - }
> -
> - if (stack[i].getClassName().equals(className) &&
> - stack[i].getMethodName().equals(methodName)) {
> - return true;
> - }
> - }
> -
> - return false;
> - }
> -
> - /**
> * Asks the user whether or not to grant permission.
> * @param perm the permission to be granted
> * @return true if the permission was granted, false otherwise.
> diff -r 06017231b935 ChangeLog
> --- a/ChangeLog Fri Apr 01 10:49:54 2011 -0400
> +++ b/ChangeLog Fri Apr 01 10:50:58 2011 -0400
> @@ -1,3 +1,8 @@
> +2011-03-01 Omair Majid <omajid at redhat.com>
> +
> + * netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java (isSystemJar): Check
> + for nulls.
> +
> 2011-02-23 Omair Majid <omajid at redhat.com>
>
> RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
> diff -r 06017231b935 netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java Fri Apr 01 10:49:54 2011 -0400
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java Fri Apr 01 10:50:58 2011 -0400
> @@ -92,6 +92,10 @@
> * it's part of the JRE.
> */
> private boolean isSystemJar(CodeSource source) {
> + if (source == null || source.getLocation() == null) {
> + return false;
> + }
> +
> // anything in JRE/lib/ext is a system jar and has full permissions
> String sourceProtocol = source.getLocation().getProtocol();
> String sourcePath = source.getLocation().getPath();
More information about the distro-pkg-dev
mailing list