[icedtea-web] RFC: show more information about certificates when verifying nested jars

Deepak Bhole dbhole at redhat.com
Wed Feb 2 09:04:06 PST 2011 

* Dr Andrew John Hughes <ahughes at redhat.com> [2011-02-02 08:46]:
> On 20:08 Tue 01 Feb     , Deepak Bhole wrote:
> > * Omair Majid <omajid at redhat.com> [2011-02-01 20:02]:
> > > Hi,
> > > 
> > > The attached patch fixes a bug in icedtea-web where clicking on the
> > > "more information" button on a security prompt involving nested
> > > jars, throws an exception.
> > > 
> > > Ok to commit?
> > > 
> > 
> > Yep, looks good to me. Okay for HEAD, 1.0, icedtea6-1.7, icedtea6-1.8
> > and icedtea6-1.9 (which are also affected).
> > 
> 
> NEWS update please!
> 

BZ entry created:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=625

Omair, please add it to the news when committing to icedtea6. You may
want to combine the patches mentioned in PR625 into a single one and
push that for icedtea6...

Cheers,
Deepak

> > Thanks,
> > Deepak
> > 
> > > Cheers,
> > > Omair
> > 
> > > diff -r 97f40ebebbdf netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> > > --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Feb 01 10:53:44 2011 -0500
> > > +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Feb 01 19:54:11 2011 -0500
> > > @@ -693,7 +693,11 @@
> > >                                      }
> > >  
> > >                                      JarSigner signer = new JarSigner();
> > > -                                    signer.verifyJar(extractedJarLocation);
> > > +                                    List<JARDesc> jars = new ArrayList<JARDesc>();
> > > +                                    JARDesc jarDesc = new JARDesc(new File(extractedJarLocation).toURL(), null, null, false, false, false, false);
> > > +                                    jars.add(jarDesc);
> > > +                                    tracker.addResource(new File(extractedJarLocation).toURL(), null, null);
> > > +                                    signer.verifyJars(jars, tracker);
> > >  
> > >                                      if (signer.anyJarsSigned() && !signer.getAlreadyTrustPublisher()) {
> > >                                          checkTrustWithUser(signer);
> > > diff -r 97f40ebebbdf netx/net/sourceforge/jnlp/tools/JarSigner.java
> > > --- a/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue Feb 01 10:53:44 2011 -0500
> > > +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue Feb 01 19:54:11 2011 -0500
> > > @@ -232,7 +232,7 @@
> > >  
> > >      }
> > >  
> > > -    public verifyResult verifyJar(String jarName) throws Exception {
> > > +    private verifyResult verifyJar(String jarName) throws Exception {
> > >          boolean anySigned = false;
> > >          boolean hasUnsignedEntry = false;
> > >          JarFile jarFile = null;
> > 
> 
> -- 
> Andrew :)
> 
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> 
> Support Free Java!
> Contribute to GNU Classpath and IcedTea
> http://www.gnu.org/software/classpath
> http://icedtea.classpath.org
> PGP Key: F5862A37 (https://keys.indymedia.org/)
> Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37

More information about the distro-pkg-dev mailing list