[icedtea-web] RFC: show more information about certificates when verifying nested jars

Wed Feb 2 05:46:52 PST 2011

On 20:08 Tue 01 Feb     , Deepak Bhole wrote:
> * Omair Majid <omajid at redhat.com> [2011-02-01 20:02]:
> > Hi,
> > 
> > The attached patch fixes a bug in icedtea-web where clicking on the
> > "more information" button on a security prompt involving nested
> > jars, throws an exception.
> > 
> > Ok to commit?
> > 
> 
> Yep, looks good to me. Okay for HEAD, 1.0, icedtea6-1.7, icedtea6-1.8
> and icedtea6-1.9 (which are also affected).
> 

NEWS update please!

> Thanks,
> Deepak
> 
> > Cheers,
> > Omair
> 
> > diff -r 97f40ebebbdf netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> > --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Feb 01 10:53:44 2011 -0500
> > +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Feb 01 19:54:11 2011 -0500
> > @@ -693,7 +693,11 @@
> >                                      }
> >  
> >                                      JarSigner signer = new JarSigner();
> > -                                    signer.verifyJar(extractedJarLocation);
> > +                                    List<JARDesc> jars = new ArrayList<JARDesc>();
> > +                                    JARDesc jarDesc = new JARDesc(new File(extractedJarLocation).toURL(), null, null, false, false, false, false);
> > +                                    jars.add(jarDesc);
> > +                                    tracker.addResource(new File(extractedJarLocation).toURL(), null, null);
> > +                                    signer.verifyJars(jars, tracker);
> >  
> >                                      if (signer.anyJarsSigned() && !signer.getAlreadyTrustPublisher()) {
> >                                          checkTrustWithUser(signer);
> > diff -r 97f40ebebbdf netx/net/sourceforge/jnlp/tools/JarSigner.java
> > --- a/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue Feb 01 10:53:44 2011 -0500
> > +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue Feb 01 19:54:11 2011 -0500
> > @@ -232,7 +232,7 @@
> >  
> >      }
> >  
> > -    public verifyResult verifyJar(String jarName) throws Exception {
> > +    private verifyResult verifyJar(String jarName) throws Exception {
> >          boolean anySigned = false;
> >          boolean hasUnsignedEntry = false;
> >          JarFile jarFile = null;
> 

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37