[icedtea-web] RFC: PR771: IcedTea-Web certificate verification code does not use the right API
Deepak Bhole
dbhole at redhat.com
Tue Aug 9 14:18:36 PDT 2011
Hi,
Attached patch fixes an issue Danesh found whereby certificates using
a different signature algorithm than the certificate in the store are
marked untrusted even when they shouldn't be.
Okay for HEAD?
ChangeLog:
2011-08-09 Deepak Bhole <dbhole at redhat.com>
PR771: IcedTea-Web certificate verification code does not use the right
API
* netx/net/sourceforge/jnlp/security/CertificateUtils.java
(inKeyStores): Use Certificate.verify to correctly verify a certificate
against a public key in the store.
Cheers,
Deepak
-------------- next part --------------
diff -r defa7d0051bf NEWS
--- a/NEWS Wed Aug 03 14:11:11 2011 -0400
+++ b/NEWS Tue Aug 09 17:15:30 2011 -0400
@@ -16,6 +16,7 @@
- PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow
Common
- PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up
+ - PR771: IcedTea-Web certificate verification code does not use the right API
New in release 1.1 (2011-XX-XX):
* Security updates
diff -r defa7d0051bf netx/net/sourceforge/jnlp/security/CertificateUtils.java
--- a/netx/net/sourceforge/jnlp/security/CertificateUtils.java Wed Aug 03 14:11:11 2011 -0400
+++ b/netx/net/sourceforge/jnlp/security/CertificateUtils.java Tue Aug 09 17:15:30 2011 -0400
@@ -43,16 +43,20 @@
import java.io.IOException;
import java.io.PrintStream;
import java.math.BigInteger;
+import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import java.util.Enumeration;
import java.util.Random;
import net.sourceforge.jnlp.runtime.JNLPRuntime;
-
import sun.misc.BASE64Encoder;
import sun.security.provider.X509Factory;
@@ -122,11 +126,36 @@
public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) {
for (int i = 0; i < keyStores.length; i++) {
try {
- if (keyStores[i].getCertificateAlias(c) != null) {
- if (JNLPRuntime.isDebug()) {
- System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts");
+ // Check against all certs
+ Enumeration<String> aliases = keyStores[i].aliases();
+ while (aliases.hasMoreElements()) {
+ String alias = aliases.nextElement();
+ try {
+ // Verify against this entry
+ c.verify(keyStores[i].getCertificate(alias).getPublicKey());
+
+ if (JNLPRuntime.isDebug()) {
+ System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts");
+ }
+
+ // If we got here, it means verification succeeded. Return true.
+ return true;
+ } catch (NoSuchAlgorithmException nsae) {
+ // Unsupported signature algorithm
+ // Consider non-match and keep going
+ } catch (InvalidKeyException ike) {
+ // Incorrect/corrupt key
+ // Consider non-match and keep going
+ } catch (NoSuchProviderException nspe) {
+ // No default provider
+ // Consider non-match and keep going
+ } catch (SignatureException se) {
+ // Signature error
+ // Consider non-match and keep going
+ } catch (CertificateException ce) {
+ // Encoding error
+ // Consider non-match and keep going
}
- return true;
}
} catch (KeyStoreException e) {
e.printStackTrace();
More information about the distro-pkg-dev
mailing list