[icedtea-web] RFC: show more information about certificates when verifying nested jars
Dr Andrew John Hughes
ahughes at redhat.com
Wed Feb 2 09:26:11 PST 2011
On 12:04 Wed 02 Feb , Deepak Bhole wrote:
> * Dr Andrew John Hughes <ahughes at redhat.com> [2011-02-02 08:46]:
> > On 20:08 Tue 01 Feb , Deepak Bhole wrote:
> > > * Omair Majid <omajid at redhat.com> [2011-02-01 20:02]:
> > > > Hi,
> > > >
> > > > The attached patch fixes a bug in icedtea-web where clicking on the
> > > > "more information" button on a security prompt involving nested
> > > > jars, throws an exception.
> > > >
> > > > Ok to commit?
> > > >
> > >
> > > Yep, looks good to me. Okay for HEAD, 1.0, icedtea6-1.7, icedtea6-1.8
> > > and icedtea6-1.9 (which are also affected).
> > >
> >
> > NEWS update please!
> >
>
> BZ entry created:
> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=625
>
> Omair, please add it to the news when committing to icedtea6. You may
> want to combine the patches mentioned in PR625 into a single one and
> push that for icedtea6...
>
Yes, that sounds a sensible move. Make sure to include both ChangeLogs though in the one commit.
> Cheers,
> Deepak
>
> > > Thanks,
> > > Deepak
> > >
> > > > Cheers,
> > > > Omair
> > >
> > > > diff -r 97f40ebebbdf netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> > > > --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Feb 01 10:53:44 2011 -0500
> > > > +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Feb 01 19:54:11 2011 -0500
> > > > @@ -693,7 +693,11 @@
> > > > }
> > > >
> > > > JarSigner signer = new JarSigner();
> > > > - signer.verifyJar(extractedJarLocation);
> > > > + List<JARDesc> jars = new ArrayList<JARDesc>();
> > > > + JARDesc jarDesc = new JARDesc(new File(extractedJarLocation).toURL(), null, null, false, false, false, false);
> > > > + jars.add(jarDesc);
> > > > + tracker.addResource(new File(extractedJarLocation).toURL(), null, null);
> > > > + signer.verifyJars(jars, tracker);
> > > >
> > > > if (signer.anyJarsSigned() && !signer.getAlreadyTrustPublisher()) {
> > > > checkTrustWithUser(signer);
> > > > diff -r 97f40ebebbdf netx/net/sourceforge/jnlp/tools/JarSigner.java
> > > > --- a/netx/net/sourceforge/jnlp/tools/JarSigner.java Tue Feb 01 10:53:44 2011 -0500
> > > > +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java Tue Feb 01 19:54:11 2011 -0500
> > > > @@ -232,7 +232,7 @@
> > > >
> > > > }
> > > >
> > > > - public verifyResult verifyJar(String jarName) throws Exception {
> > > > + private verifyResult verifyJar(String jarName) throws Exception {
> > > > boolean anySigned = false;
> > > > boolean hasUnsignedEntry = false;
> > > > JarFile jarFile = null;
> > >
> >
> > --
> > Andrew :)
> >
> > Free Java Software Engineer
> > Red Hat, Inc. (http://www.redhat.com)
> >
> > Support Free Java!
> > Contribute to GNU Classpath and IcedTea
> > http://www.gnu.org/software/classpath
> > http://icedtea.classpath.org
> > PGP Key: F5862A37 (https://keys.indymedia.org/)
> > Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
More information about the distro-pkg-dev
mailing list