/hg/icedtea-web: 2 new changesets
dbhole at icedtea.classpath.org
dbhole at icedtea.classpath.org
Tue Aug 9 14:34:42 PDT 2011
changeset 9b7eca03a9ea in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=9b7eca03a9ea
author: Deepak Bhole <dbhole at redhat.com>
date: Tue Aug 09 17:29:45 2011 -0400
PR771: IcedTea-Web certificate verification code does not use the
right API
changeset 27f08d58854f in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=27f08d58854f
author: Deepak Bhole <dbhole at redhat.com>
date: Tue Aug 09 17:34:35 2011 -0400
Merge
diffstat:
ChangeLog | 16 ++++++
NEWS | 3 +
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 4 +
netx/net/sourceforge/jnlp/security/CertificateUtils.java | 39 +++++++++++++--
4 files changed, 57 insertions(+), 5 deletions(-)
diffs (120 lines):
diff -r defa7d0051bf -r 27f08d58854f ChangeLog
--- a/ChangeLog Wed Aug 03 14:11:11 2011 -0400
+++ b/ChangeLog Tue Aug 09 17:34:35 2011 -0400
@@ -1,3 +1,19 @@
+2011-08-09 Deepak Bhole <dbhole at redhat.com>
+
+ PR771: IcedTea-Web certificate verification code does not use the right
+ API
+ * netx/net/sourceforge/jnlp/security/CertificateUtils.java
+ (inKeyStores): Use Certificate.verify to correctly verify a certificate
+ against a public key in the store.
+
+2011-08-09 Saad Mohammad <smohammad at redhat.com>
+
+ PR765: JNLP file with all resource jars marked as 'lazy' fails to validate
+ signature and stops the launch of application
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
+ (initializeResources): Initializes the first jar file if all resources
+ are marked as lazy jars
+
2011-08-03 Saad Mohammad <smohammad at redhat.com>
* netx/net/sourceforge/jnlp/JNLPMatcher.java:
diff -r defa7d0051bf -r 27f08d58854f NEWS
--- a/NEWS Wed Aug 03 14:11:11 2011 -0400
+++ b/NEWS Tue Aug 09 17:34:35 2011 -0400
@@ -12,10 +12,13 @@
* Security updates:
- RH718164, CVE-2011-2513: Home directory path disclosure to untrusted applications
- RH718170, CVE-2011-2514: Java Web Start security warning dialog manipulation
+* NetX
+ - PR765: JNLP file with all resource jars marked as 'lazy' fails to validate signature and stops the launch of application
* Plugin
- PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow
Common
- PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up
+ - PR771: IcedTea-Web certificate verification code does not use the right API
New in release 1.1 (2011-XX-XX):
* Security updates
diff -r defa7d0051bf -r 27f08d58854f netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Aug 03 14:11:11 2011 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Aug 09 17:34:35 2011 -0400
@@ -428,6 +428,10 @@
jars[i].isCacheable() ? JNLPRuntime.getDefaultUpdatePolicy() : UpdatePolicy.FORCE
);
}
+
+ //If there are no eager jars, initialize the first jar
+ if(initialJars.size() == 0)
+ initialJars.add(jars[0]);
if (strict)
fillInPartJars(initialJars); // add in each initial part's lazy jars
diff -r defa7d0051bf -r 27f08d58854f netx/net/sourceforge/jnlp/security/CertificateUtils.java
--- a/netx/net/sourceforge/jnlp/security/CertificateUtils.java Wed Aug 03 14:11:11 2011 -0400
+++ b/netx/net/sourceforge/jnlp/security/CertificateUtils.java Tue Aug 09 17:34:35 2011 -0400
@@ -43,16 +43,20 @@
import java.io.IOException;
import java.io.PrintStream;
import java.math.BigInteger;
+import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import java.util.Enumeration;
import java.util.Random;
import net.sourceforge.jnlp.runtime.JNLPRuntime;
-
import sun.misc.BASE64Encoder;
import sun.security.provider.X509Factory;
@@ -122,11 +126,36 @@
public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) {
for (int i = 0; i < keyStores.length; i++) {
try {
- if (keyStores[i].getCertificateAlias(c) != null) {
- if (JNLPRuntime.isDebug()) {
- System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts");
+ // Check against all certs
+ Enumeration<String> aliases = keyStores[i].aliases();
+ while (aliases.hasMoreElements()) {
+ String alias = aliases.nextElement();
+ try {
+ // Verify against this entry
+ c.verify(keyStores[i].getCertificate(alias).getPublicKey());
+
+ if (JNLPRuntime.isDebug()) {
+ System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts");
+ }
+
+ // If we got here, it means verification succeeded. Return true.
+ return true;
+ } catch (NoSuchAlgorithmException nsae) {
+ // Unsupported signature algorithm
+ // Consider non-match and keep going
+ } catch (InvalidKeyException ike) {
+ // Incorrect/corrupt key
+ // Consider non-match and keep going
+ } catch (NoSuchProviderException nspe) {
+ // No default provider
+ // Consider non-match and keep going
+ } catch (SignatureException se) {
+ // Signature error
+ // Consider non-match and keep going
+ } catch (CertificateException ce) {
+ // Encoding error
+ // Consider non-match and keep going
}
- return true;
}
} catch (KeyStoreException e) {
e.printStackTrace();
More information about the distro-pkg-dev
mailing list