[RFC][PATCH][icedtea-web]: Added support for signed JNLP file- Updated Patch

Mon Jul 25 09:30:27 PDT 2011

On 07/25/2011 11:32 AM, Saad Mohammad wrote:
> On 07/21/2011 09:34 AM, Omair Majid wrote:
>> On 07/15/2011 10:21 AM, Saad Mohammad wrote:
>>> I have updated both the patches that includes the change that you have
>>> recommended and requested.
>>
>> I haven't looked into this in too much detail, but I have a few
>> questions (and concerns) after reading this patch. They are included
>> in line, below.
>>
>>
>>> +
>>> + if (js.anyJarsSigned()) {
>>> + // If there are any signed Jars, check if JNLP file is signed
>>> +
>>> + if (JNLPRuntime.isDebug())
>>> + System.out.println("STARTING check for signed JNLP file...");
>>> +
>>> + for (int i = 0; i< jars.length; i++) {
>>> + List<JARDesc> eachJar = new ArrayList<JARDesc>();
>>> + JarSigner signer = new JarSigner();
>>> + eachJar.add(jars[i]); // Adds only the single jar to check
>>> + // if the jar has a valid signature
>>> +
>>
>> There is already JarSigner object that JNLPClassLoader is using. Is
>> there a reason for creating this new JarSigner object?
>
> I can use the JarSigner object that already exists.
>

Well, I am not sure if that's the right thing. Perhaps it maintains some 
state that you would not be fine with? I was really hoping you would 
explain why you are using a new JarSigner object :)

>>
>>> + try {
>>> + signer.verifyJars(eachJar, tracker);
>>> +
>>
>> The jarsigner js has already verified a subset of these earlier. Do
>> you really want to verify everything again?
>
> This is the method that is checking each jar file individually. So
> 'eachJar' stores only one jar file at a time and then checks if that jar
> file is signed or not. It then uses allJarsSigned() to validate if the
> jar file is signed. I added this because I did not find a solution that
> can track whether an individual jar file is signed or not. The previous
> check that JarSigner does uses all the jar resources (passed as
> parameter) and does not keep track which jar files are signed and which
> are not. Unless I am mistaken and there is a way of determining this.
>

Ah, that makes sense now. I suppose you only want to make sure that only 
a signed jar file contains the signed jnlp file.

>> So here's what I am really confused about: what does matching do? I
>> see that if there is no signed jnlp file, the code runs normally. If
>> there is a correctly signed jnlp file the code also continues
>> normally. So why are signed jnlp files needed at all? What problem are
>> they solving?
>>
>> I guess I am missing something obvious; an explanation of what this
>> code is trying to do would be appreciated.
>
> If there is no signed JNLP file, the code runs normally. (as you
> mentioned above)
> If there is a matching signed JNLP file, the code runs normally. (as you
> mentioned above)
> If there is an unmatched signed JNLP file, the application is not
> initialized and fails to start. The reason why I found this beneficial
> is because the signer may not want their signed jars to be used if the
> launching JNLP file is not the same as the one the signer provides.
> Anyone can just create their own JNLP file to launch the application as
> long as they know the location of the resource(s). I think this way the
> signer has the option to put restrictions onto their signed jar file; so
> under certain conditions the jar files can be used only if the launching
> JNLP file is "approved" by the signer. I think another reason why a
> signer might do this is so the signer does not have another person
> running their code and using their signed jar files as resource (using
> the API? If they know it). I am not sure about this one, but it makes
> sense.
>

Personally, I don't see that as a problem that Sun/Oracle would attempt 
to solve (what's so special about this "approved" file?). I suspect it 
has more to do with granting additional security privileges.

I found this thread [1] after a quick search and it mentions a number of 
things you may find interesting (including secure system properties). 
There is probably a lot more information on this. Could you please look 
around some more and tell us what you find?

Thanks,
Omair

[1] http://forums.oracle.com/forums/thread.jspa?threadID=1303509&tstart=105