[icedtea-web] RFC: show more information about certificates when verifying nested jars
Deepak Bhole
dbhole at redhat.com
Wed Feb 2 09:04:06 PST 2011
* Dr Andrew John Hughes <ahughes at redhat.com> [2011-02-02 08:46]:
> On 20:08 Tue 01 Feb , Deepak Bhole wrote:
> > * Omair Majid <omajid at redhat.com> [2011-02-01 20:02]:
> > > Hi,
> > >
> > > The attached patch fixes a bug in icedtea-web where clicking on the
> > > "more information" button on a security prompt involving nested
> > > jars, throws an exception.
> > >
> > > Ok to commit?
> > >
> >
> > Yep, looks good to me. Okay for HEAD, 1.0, icedtea6-1.7, icedtea6-1.8
> > and icedtea6-1.9 (which are also affected).
> >
>
> NEWS update please!
>
BZ entry created:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=625
Omair, please add it to the news when committing to icedtea6. You may
want to combine the patches mentioned in PR625 into a single one and
push that for icedtea6...
Cheers,
Deepak
> > Thanks,
> > Deepak
> >
> > > Cheers,
> > > Omair
> >
> > > diff -r 97f40ebebbdf netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> > > --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Feb 01 10:53:44 2011 -0500
> > > +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Feb 01 19:54:11 2011 -0500
> > > @@ -693,7 +693,11 @@
> > > }
> > >
> > > JarSigner signer = new JarSigner();
> > > - signer.verifyJar(extractedJarLocation);
> > > + List<JARDesc> jars = new ArrayList<JARDesc>();
> > > + JARDesc jarDesc = new JARDesc(new File(extractedJarLocation).toURL(), null, null, false, false, false, false);
> > > + jars.add(jarDesc);
> > > + tracker.addResource(new File(extractedJarLocation).toURL(), null, null);
> > > + signer.verifyJars(jars, tracker);
> > >
> > > if (signer.anyJarsSigned() && !signer.getAlreadyTrustPublisher()) {
> > > checkTrustWithUser(signer);
> > > diff -r 97f40ebebbdf netx/net/sourceforge/jnlp/tools/JarSigner.java
> > > --- a/netx/net/sourceforge/jnlp/tools/JarSigner.java Tue Feb 01 10:53:44 2011 -0500
> > > +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java Tue Feb 01 19:54:11 2011 -0500
> > > @@ -232,7 +232,7 @@
> > >
> > > }
> > >
> > > - public verifyResult verifyJar(String jarName) throws Exception {
> > > + private verifyResult verifyJar(String jarName) throws Exception {
> > > boolean anySigned = false;
> > > boolean hasUnsignedEntry = false;
> > > JarFile jarFile = null;
> >
>
> --
> Andrew :)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> Support Free Java!
> Contribute to GNU Classpath and IcedTea
> http://www.gnu.org/software/classpath
> http://icedtea.classpath.org
> PGP Key: F5862A37 (https://keys.indymedia.org/)
> Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
More information about the distro-pkg-dev
mailing list