/hg/icedtea-web: PR742: IcedTea-Web checks certs only upto 1 lev...

[ddadacha at icedtea.classpath.org]

changeset 68756a4f8cc0 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=68756a4f8cc0
author: Danesh Dadachanji <ddadacha at redhat.com>
date: Thu Aug 11 14:11:41 2011 -0400

	PR742: IcedTea-Web checks certs only upto 1 level deep before
	declaring them untrusted.


diffstat:

 ChangeLog                                      |  8 ++++++++
 NEWS                                           |  1 +
 netx/net/sourceforge/jnlp/tools/JarSigner.java |  8 +++++++-
 3 files changed, 16 insertions(+), 1 deletions(-)

diffs (44 lines):

diff -r 27f08d58854f -r 68756a4f8cc0 ChangeLog
--- a/ChangeLog	Tue Aug 09 17:34:35 2011 -0400
+++ b/ChangeLog	Thu Aug 11 14:11:41 2011 -0400
@@ -1,3 +1,11 @@
+2011-08-11  Danesh Dadachanji <ddadacha at redhat.com>
+
+	PR742: IcedTea-Web checks certs only upto 1 level deep before declaring 
+	them untrusted.
+	* NEWS: Updated.
+	* netx/net/sourceforge/jnlp/tools/JarSigner.java:
+	(checkTrustedCerts): All certs along certPath are now checked for trust.
+
 2011-08-09  Deepak Bhole <dbhole at redhat.com>
 
 	PR771: IcedTea-Web certificate verification code does not use the right
diff -r 27f08d58854f -r 68756a4f8cc0 NEWS
--- a/NEWS	Tue Aug 09 17:34:35 2011 -0400
+++ b/NEWS	Thu Aug 11 14:11:41 2011 -0400
@@ -19,6 +19,7 @@
 Common
   - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up
   - PR771: IcedTea-Web certificate verification code does not use the right API
+  - PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted.
 
 New in release 1.1 (2011-XX-XX):
 * Security updates
diff -r 27f08d58854f -r 68756a4f8cc0 netx/net/sourceforge/jnlp/tools/JarSigner.java
--- a/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue Aug 09 17:34:35 2011 -0400
+++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java	Thu Aug 11 14:11:41 2011 -0400
@@ -373,7 +373,13 @@
                 alreadyTrustPublisher = CertificateUtils.inKeyStores(publisher, certKeyStores);
                 X509Certificate root = (X509Certificate) getRoot();
                 KeyStore[] caKeyStores = KeyStores.getCAKeyStores();
-                rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores);
+                // Check entire cert path for a trusted CA
+                for (Certificate c : certPath.getCertificates()) {
+                	if ((rootInCacerts = CertificateUtils.inKeyStores(
+                            (X509Certificate) c, caKeyStores))) {
+                        break;
+                    }
+                }
             } catch (Exception e) {
                 // TODO: Warn user about not being able to
                 // look through their cacerts/trusted.certs