[RFC][icedtea-web] PR742: Fix checking multiple levels of JAR certs for trust
Danesh Dadachanji
ddadacha at redhat.com
Wed Aug 10 14:25:03 PDT 2011
Woops forgot I had a comment on something.
I'm not quite happy with the name of the var, rootInCacerts. It's no
longer _just_ the root cert being in the store, it would also be set if
any cert along the chain is in the store. However, the method associated
with it is also from an interface that is also inheritted by the HTTP
side. That side has kept it as root even though it has always checked
all certs along the path. Comments?
Regards,
Danesh
On 10/08/11 05:18 PM, Danesh Dadachanji wrote:
> Hello,
>
> Here's an update for this bug. It took so long because of the (at the
> time) mysterious PR771. This will now check all the certificates along
> the certPath for trust in the store. It also displays a new icon[1] and
> automatically selects the "Always Trust" checkbox when an applet is
> verified. Along the way I found a miscalculation in the window size of
> the dialog. It was too small to display the entire icon so I increased
> the height.
>
> I've tested it on all of the certificate holding JNLPs on the test wiki
> page.
>
> The original reporter's applet is signed by an older version of a Thawte
> CA which I was unable to find online. The newer version is technically
> considered a different certificate (public keys are different) so this
> patch still won't verify their applet.
>
> ChangeLog:
> +2011-08-10 Danesh Dadachanji <ddadacha at redhat.com>
> +
> + PR742: IcedTea-Web checks certs only upto 1 level deep before declaring
> + them untrusted.
> + * NEWS: Updated.
> + * netx/net/sourceforge/jnlp/resources/question.png: New icon added.
> Credit
> + to The GNOME Project for the image
> + * netx/net/sourceforge/jnlp/security/CertWarningPane.java:
> + (addComponents): When certs are verified, question.png is used as the
> icon
> + and SAlwaysTrustPublisher is automatically selected.
> + * netx/net/sourceforge/jnlp/tools/JarSigner.java:
> + (checkTrustedCerts): All certs along certPath are now checked for trust.
>
> Okay for HEAD?
>
> Regards,
> Danesh
>
> [1] question.png is attached, it needs to be saved in
> /path/to/icedtea-web/netx/net/sourceforge/jnlp/resources
More information about the distro-pkg-dev
mailing list