/hg/icedtea-web: Verify nested jars just like main jars

Tue Feb 1 18:08:03 PST 2011

changeset 2d39fa58036e in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=2d39fa58036e
author: Omair Majid <omajid at redhat.com>
date: Tue Feb 01 21:07:03 2011 -0500

	Verify nested jars just like main jars

	Fix an exception that occurs when More Information is clicked in the
	Certificate warning dialog when dealing with signed nested jars.

	2011-02-01 Omair Majid <omajid at redhat.com>

	 * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
	(activateJars): Add the nested jar to ResourceTracker. Use
	JarSigner.verifyJars instead of JarSigner.verifyJar.
	    * netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): Make
	private to indicate nothing should be using this directly.


diffstat:

3 files changed, 15 insertions(+), 2 deletions(-)
ChangeLog                                              |    9 +++++++++
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java |    6 +++++-
netx/net/sourceforge/jnlp/tools/JarSigner.java         |    2 +-

diffs (44 lines):

diff -r 97f40ebebbdf -r 2d39fa58036e ChangeLog

--- a/ChangeLog	Tue Feb 01 10:53:44 2011 -0500
+++ b/ChangeLog	Tue Feb 01 21:07:03 2011 -0500
@@ -1,3 +1,12 @@ 2011-01-24 Deepak Bhole <dbhole at redhat.c
+2011-02-01  Omair Majid  <omajid at redhat.com>
+
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+	(activateJars): Add the nested jar to ResourceTracker. Use
+	JarSigner.verifyJars instead of JarSigner.verifyJar.
+	* netx/net/sourceforge/jnlp/tools/JarSigner.java
+	(verifyJar): Make private to indicate nothing should be using this
+	directly.
+
 2011-01-24 Deepak Bhole <dbhole at redhat.com>
 
 	RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
diff -r 97f40ebebbdf -r 2d39fa58036e netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Feb 01 10:53:44 2011 -0500
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Feb 01 21:07:03 2011 -0500
@@ -693,7 +693,11 @@ public class JNLPClassLoader extends URL
                                     }
 
                                     JarSigner signer = new JarSigner();
-                                    signer.verifyJar(extractedJarLocation);
+                                    List<JARDesc> jars = new ArrayList<JARDesc>();
+                                    JARDesc jarDesc = new JARDesc(new File(extractedJarLocation).toURL(), null, null, false, false, false, false);
+                                    jars.add(jarDesc);
+                                    tracker.addResource(new File(extractedJarLocation).toURL(), null, null);
+                                    signer.verifyJars(jars, tracker);
 
                                     if (signer.anyJarsSigned() && !signer.getAlreadyTrustPublisher()) {
                                         checkTrustWithUser(signer);
diff -r 97f40ebebbdf -r 2d39fa58036e netx/net/sourceforge/jnlp/tools/JarSigner.java
--- a/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue Feb 01 10:53:44 2011 -0500
+++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue Feb 01 21:07:03 2011 -0500
@@ -232,7 +232,7 @@ public class JarSigner implements CertVe
 
     }
 
-    public verifyResult verifyJar(String jarName) throws Exception {
+    private verifyResult verifyJar(String jarName) throws Exception {
         boolean anySigned = false;
         boolean hasUnsignedEntry = false;
         JarFile jarFile = null;

