[RFC][icedtea-web] PR742: Fix checking multiple levels of JAR certs for trust
Deepak Bhole
dbhole at redhat.com
Wed Aug 10 15:01:25 PDT 2011
* Danesh Dadachanji <ddadacha at redhat.com> [2011-08-10 17:20]:
> Hello,
>
> Here's an update for this bug. It took so long because of the (at
> the time) mysterious PR771. This will now check all the certificates
> along the certPath for trust in the store. It also displays a new
> icon[1] and automatically selects the "Always Trust" checkbox when
> an applet is verified. Along the way I found a miscalculation in the
> window size of the dialog. It was too small to display the entire
> icon so I increased the height.
>
> I've tested it on all of the certificate holding JNLPs on the test
> wiki page.
>
> The original reporter's applet is signed by an older version of a
> Thawte CA which I was unable to find online. The newer version is
> technically considered a different certificate (public keys are
> different) so this patch still won't verify their applet.
>
Hi Danesh,
Patch looks good. Couple of minor things:
When a cert has been verified and we show a prompt with the new question
icon, the title still says "Warning - Security" ... we should probably
update this to something that doesn't look as alarming ... maybe
"Security approval needed" or something?
Also, one code related fix below:
> - rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores);
> + // Check entire cert path for a trusted CA
> + List<? extends Certificate> certList = certPath.getCertificates();
> + for (int i = 0; i != certList.size(); i++) {
> + if ((rootInCacerts = CertificateUtils.inKeyStores(
> + (X509Certificate) certList.get(i), caKeyStores))) {
> + break;
> + }
> + }
It would be cleaner to use the Java foreach syntax with
certPath.getCertificates() directly... e.g.:
for (Certificate c: certPath.getCertificates()) {
...
}
Cheers,
Deepak
More information about the distro-pkg-dev
mailing list