[RFC][icedtea-web] PR742: Fix checking multiple levels of JAR certs for trust
Danesh Dadachanji
ddadacha at redhat.com
Wed Jun 22 14:33:18 PDT 2011
Woops, internal website. Steps are as follows.
1. CA -newca
2. keytool -genkey -alias usercert -keyalg RSA -keysize 2048 -keystore store
3. keytool -certreq -alias usercert -keyalg RSA -file request.pem
-keystore store
4. openssl ca -policy policy_anything -extensions my_v3_ext -out
usercert.pem -infiles request.pem
5. Edit usercert.pem to remove everything except what's in between the
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines (and
keep those 2 lines as well)
6. Open demoCA/cacert.pem, copy everything between and including the
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, and
paste it at the end of usercert.pem after the -----END CERTIFICATE----- line
7. After all is done, usercert.pem should look something like:
-----BEGIN CERTIFICATE-----
....
....
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
....
....
....
-----END CERTIFICATE-----
8. keytool -import -alias usercert -keystore store -file usercert.pem
9. jarsigner -keystore store -signedjar TestApplet-signed.jar
TestApplet.jar usercert
On 22/06/11 05:06 PM, Danesh Dadachanji wrote:
> Hello,
>
> Here's a patch for the JAR side of PR742, checking the cert path of a
> JAR cert for trusted CAs. Here's how to make a 2 chain certificate for
> testing purposes - http://torweb.toronto.redhat.com/~dbhole/steps
>
> You have to add a modified version of demoCA/cacert.pem (follow step 6
> but save the copied text) in the trusted CA certs list through
> itweb-settings.
>
> ChangeLog
> +2011-06-22 Danesh Dadachanji <ddadacha at redhat.com>
> + * netx/net/sourceforge/jnlp/tools/JarSigner.java: Changed
> checkTrustedCerts to check through entire certPath for trusted CAs.
>
> Regards,
> Danesh
More information about the distro-pkg-dev
mailing list