[RFC][icedtea-web] PR742: Fix checking multiple levels of JAR certs for trust

Danesh Dadachanji ddadacha at redhat.com
Wed Aug 10 14:18:49 PDT 2011


Here's an update for this bug. It took so long because of the (at the 
time) mysterious PR771. This will now check all the certificates along 
the certPath for trust in the store. It also displays a new icon[1] and 
automatically selects the "Always Trust" checkbox when an applet is 
verified. Along the way I found a miscalculation in the window size of 
the dialog. It was too small to display the entire icon so I increased 
the height.

I've tested it on all of the certificate holding JNLPs on the test wiki 

The original reporter's applet is signed by an older version of a Thawte 
CA which I was unable to find online. The newer version is technically 
considered a different certificate (public keys are different) so this 
patch still won't verify their applet.

+2011-08-10  Danesh Dadachanji <ddadacha at redhat.com>
+	PR742: IcedTea-Web checks certs only upto 1 level deep before declaring
+	them untrusted.
+	* NEWS: Updated.
+	* netx/net/sourceforge/jnlp/resources/question.png: New icon added. 
+	to The GNOME Project for the image
+	* netx/net/sourceforge/jnlp/security/CertWarningPane.java:
+	(addComponents): When certs are verified, question.png is used as the 
+	and SAlwaysTrustPublisher is automatically selected.
+	* netx/net/sourceforge/jnlp/tools/JarSigner.java:
+	(checkTrustedCerts): All certs along certPath are now checked for trust.

Okay for HEAD?


[1] question.png is attached, it needs to be saved in 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: question.png
Type: image/png
Size: 5406 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110810/1f0db38e/question.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PR742.patch
Type: text/x-patch
Size: 4429 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110810/1f0db38e/PR742.patch 

More information about the distro-pkg-dev mailing list