[RFC][icedtea-web] PR742: Fix checking multiple levels of JAR certs for trust

Omair Majid omajid at redhat.com
Thu Jun 23 06:42:49 PDT 2011 

On 06/22/2011 05:06 PM, Danesh Dadachanji wrote:
> Here's a patch for the JAR side of PR742, checking the cert path of a
> JAR cert for trusted CAs. Here's how to make a 2 chain certificate for
> testing purposes - http://torweb.toronto.redhat.com/~dbhole/steps
>

I am not clear on how this patch relates to PR742. In that bug, the root 
is a known CA (thawte); this patch makes icedtea-web look for known CA's 
which are not at the root of the trust chain. Am I missing something?

>
>
> diff -r af1ed34483d1 netx/net/sourceforge/jnlp/tools/JarSigner.java
> --- a/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue May 31 12:00:01 2011 -0400
> +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java	Wed Jun 22 16:20:52 2011 -0400
> @@ -374,6 +374,15 @@ public class JarSigner implements CertVe
>                   X509Certificate root = (X509Certificate) getRoot();
>                   KeyStore[] caKeyStores = KeyStores.getCAKeyStores();
>                   rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores);
> +                if (!alreadyTrustPublisher) { // Check cert path for trusted CA
> +                    List<? extends Certificate>  certList = certPath.getCertificates();
> +                    for (int i = 0; i != certList.size(); i++) {
> +                        if ((alreadyTrustPublisher = CertificateUtils.inKeyStores(
> +                                (X509Certificate) certList.get(i), caKeyStores))) {
> +                            break;
> +                        }
> +                    }
> +                }

I think it might be better to set rootInCacerts here instead of 
alreadyTrustPublisher. alreadyTrustPublisher is normally used when a 
particular (publisher) certificate is trusted (which is not the case 
here). rootInCacerts is normally used when the publisher's certificate 
is trusted by a CA. Setting rootInCacerts has a different result than 
setting alreadyTrustPublisher. In case of alreadyTrustPublisher we may 
skip showing a security prompt; while we do show one in case of 
rootInCacerts.

>               } catch (Exception e) {
>                   // TODO: Warn user about not being able to
>                   // look through their cacerts/trusted.certs

Cheers,
Omair

More information about the distro-pkg-dev mailing list