[RFC][icedtea-web]: Added support for signed JNLP file
Jiri Vanek
jvanek at redhat.com
Tue Jun 28 02:16:04 PDT 2011
On 06/28/2011 12:42 AM, Deepak Bhole wrote:
> Hi Saad,
>
> I have some corrections for this patch. I've tried to avoid whatever
> Jiri has already covered (except when I have an additional comment on
> the same item).
>
> Comments below:
>
> * Saad Mohammad<smohammad at redhat.com> [2011-06-23 17:04]:
>> > I have attached my patch that adds support for signed JNLP files to
>> > IcedTea-Web. There are two ways of signing a JNLP file;
>> > You can do it either way by having the following files in a signed jar:
>> > JNLP-INF/APPLICATION.JNLP
>> > JNLP-INF/APPLICATION_TEMPLATE.JNLP (Introduced in JNLP 7.0)
>> > [[1]http://jcp.org/aboutJava/communityprocess/maintenance/jsr056/jnlp-7
>> > _0-changes.html]
>> > It will fail to launch an application if the signed JNLP file does not
>> > match the launching JNLP file.
>> > CHANGELOG:
>> > 2011-06-23 Saad Mohammad [2]<smohammad at redhat.com>
>> > * netx/net/sourceforge/jnlp/JNLPVerify.java:
>> > Created this class to compares signed JNLP file with the
>> > launching JNLP file.
>> > It is able to compare both method of signing of a JNLP file:
>> > APPLICATION_TEMPLATE.JNLP
>> > and APPLICATION.JNLP
>> > * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
>> > Added a custom exception: JNLPVerifyException. Also added
>> > JNLPVerifyException to methods
>> > that throws the custom exception.
>> > (initializeResources): Checks if there is any signed JNLP file
>> > within the signed jars.
>> > If signed JNLP file fails to match or fails to be verified, the
>> > application throws
>> > a JNLPVerifyException.
>> > * netx/net/sourceforge/jnlp/Node.java:
>> > Created a method that retrieves the attribute names of the Node
>> > in a
>> > private string [] member. The method returns the attribute names.
>> > * netx/net/sourceforge/nanoxml/XMLElement.java:
>> > (sanitizeInput): Changed parameter type of isr from
>> > InputStreamReader to Reader.
> The indentation above is incorrect... it should follow the same format
> as other entries in the ChangeLog. Also, not sure what the [2] means..
> it shouldn't be there.
>
>> > References
>> >
>> > 1.http://jcp.org/aboutJava/communityprocess/maintenance/jsr056/jnlp-7_0-changes.html
>> > 2.mailto:smohammad at redhat.com
> ...
>> > + public static JNLPVerify getInstanceOf(Reader appTemplateFile, Reader launchJNLPFile,
>> > + boolean isTemplate) throws Exception {
> Jiri already pointed this out.. but throwing a generic Exception is a
> bad idea because it forces callers to catch all exceptions when they may
> not want to -- consider throwing a more restricted exception.
>
> Also, getInstanceOf suggests this that is a singleton class which it is
> not. The method name should be changed. Though frankly, I think this
> method shouldn't exist at all. Let the caller create the class and
> handle any exceptions from the constructor rather than having a wrapper
> just to re-throw the exception.
Here we are pointing into philosophic-based-java-discusion:) In case constructor throws an exception, I think factory method is much better, but it must ensure, all the "dangerous" (Exception throwing, null possible...) code to be check 'before', so possible creation in constructor will be "for sure" successful when all checks done in factory method.
As already mentioned, in this case the method should be createJnlpVerifier (see java naming conventions here)
So the code around this should at least :
move to factory method:
+ if (appTemplate == null && launchJNLP == null)
+ throw new NullPointerException(
+ "Template JNLP file and Launching JNLP file are both null.");
+ else if (appTemplate == null)
+ throw new NullPointerException("Template JNLP file is null.");
+ else
+ throw new NullPointerException("Launching JNLP file is null.");
+ }
+
+ XMLElement appTemplateXML = new XMLElement();
+ XMLElement launchJNLPXML = new XMLElement();
+
+ // Remove the comments and CDATA from the JNLP file
move into some sanitizeMethod, probably private, called in verify or in factory method
+ final PipedInputStream pinTemplate = new PipedInputStream();
+ final PipedOutputStream poutTemplate = new PipedOutputStream(pinTemplate);
+ appTemplateXML.sanitizeInput(appTemplate, poutTemplate);
+
+ final PipedInputStream pinJNLPFile = new PipedInputStream();
+ final PipedOutputStream poutJNLPFile = new PipedOutputStream(pinJNLPFile);
+ launchJNLPXML.sanitizeInput(launchJNLP, poutJNLPFile);
+
definitely move into parse method - aganin call in factory or in verifi function
+ //Parse both files
+ appTemplateXML.parseFromReader(new InputStreamReader(pinTemplate));
+ launchJNLPXML.parseFromReader(new InputStreamReader(pinJNLPFile));
This can pass to constructor as there is nearly nothing to fail
+
+ //Initialize parent nodes
+ this.appTemplateNode = new Node(appTemplateXML);
+ this.launchJNLPNode = new Node(launchJNLPXML);
+ this.isTemplate = isTemplate;
+
+
+ }
But if Deepak recommended public constructor, then you have something to choose;)
>
>> > + try {
>> > + JNLPVerify ret = new JNLPVerify(appTemplateFile, launchJNLPFile, isTemplate);
>> > + return ret;
>> > +
>> > + } catch (Exception e) {
>> > + throw new Exception(
>> > + "Failed to create an instance of JNLPVerify with specified Readers: "
>> > + + e.getMessage());
>> > + }
>> > + }
>> > +
>> > + /**
>> > + * Private constructor
>> > + *
>> > + * @param appTemplate
>> > + * the reader stream of the signed APPLICATION.jnlp or
>> > + * APPLICATION_TEMPLATE.jnlp
>> > + * @param launchJNLP
>> > + * the reader stream of the launching JNLP file
>> > + * @param isTemplate
>> > + * a boolean that specifies if appTemplateFile is a template
>> > + *
>> > + * @throws XMLParseException
>> > + * if appTemplate and launchJNLP could not be parsed
>> > + * @throws IOException
>> > + * if PipedOutputStream or InputStreamReader failed to be
>> > + * created
>> > + */
>> > + private JNLPVerify(Reader appTemplate, Reader launchJNLP, boolean isTemplate)
>> > + throws XMLParseException, IOException {
>> > +
> This is not a singleton class nor is it a factory and all of the
> constructor parameters are available to the caller, so there is no real
> need for a private constructor.
comment above aligned also here.
>
> ...
>> > +
>> > + if (appTemplate != null&& launchJNLP != null) {
>> > +
>> > + Node appTemplateNode = (Node) appTemplate;
>> > + Node launchJNLPNode = (Node) launchJNLP;
>> > +
>> > + //Store children of Node
>> > + LinkedList<Node> appTemplateChild = new LinkedList<Node>(Arrays.asList(appTemplateNode
>> > + .getChildNodes()));
>> > + LinkedList<Node> launchJNLPChild = new LinkedList<Node>(Arrays.asList(launchJNLPNode
>> > + .getChildNodes()));
>> > +
>> > + // Compare only if both Nodes have the same name, else return false
>> > + if (appTemplateNode.getNodeName().equals(launchJNLPNode.getNodeName())) {
>> > +
>> > + if (appTemplateChild.size() == launchJNLPChild.size()) { // Compare children
>> > +
>> > + int childLength = appTemplateChild.size();
>> > +
>> > + for (int i = 0; i< childLength;) {
>> > + for (int j = 0; j< childLength; j++) {
>> > + boolean isSame = compareNodes(appTemplateChild.get(i),
>> > + launchJNLPChild.get(j));
>> > +
>> > + if (!isSame&& j == childLength - 1)
>> > + return false;
>> > + else if (isSame) { // If both child matches, remove them from the list of children
>> > + appTemplateChild.remove(i);
>> > + launchJNLPChild.remove(j);
>> > + --childLength;
>> > + break;
>> > + }
>> > + }
>> > + }
>> > +
>
> This logic seems more complex than it needs to be and is O(n^2). You can
> define a comparator and use Arrays.sort to sort the arrays that the
> getChildNodes() methods return. Then you only need to iterate over the
> array once -- resulting in O(nlogn) performance and much cleaner code.
I'm not sure if this can be done in O(n log n) as I don't believe that sorting will help to much in case of comparing nodes.
Personally I like the approach when for each xapth is tried to find best matching xpath in second file. Ya - it is slow! but Jnlp files are small ,and verification is done for each jar only one times.
I have some time ago implement comparing of XML files based on sorting and it had not good results.
>
> ...
>> > +
>> > + ArrayList<String> appTemplateAttributes = new ArrayList<String>(Arrays.asList(appTemplateNode.getAttributeNames()));
>> > + ArrayList<String> launchJNLPAttributes = new ArrayList<String>(Arrays.asList(launchJNLPNode.getAttributeNames()));
>> > +
> Same change as above can be made here.
For attributes absolutely for sure. My comment form first post was silently ignored :)
>
> ...
>
>> >
>> > + if (js.anyJarsSigned()) {
>> > + //If there are any signed Jars, check if JNLP file is signed
>> > +
>> > + if (JNLPRuntime.isDebug())
>> > + System.out.println("STARTING check for signed JNLP file...");
>> > +
>> > + final String template = "JNLP-INF/APPLICATION_TEMPLATE.JNLP";
>> > + final String application = "JNLP-INF/APPLICATION.JNLP";
>> > +
>> > + for (int i = 0; i< jars.length; i++) {
>> > + List<JARDesc> eachJar = new ArrayList<JARDesc>();
>> > + JarSigner signer = new JarSigner();
>> > + eachJar.add(jars[i]); //Adds only the single jar to check if the jar has a valid signature
>> > +
>> > + tracker.addResource(jars[i].getLocation(), jars[i].getVersion(),
>> > + getDownloadOptionsForJar(jars[i]),
>> > + jars[i].isCacheable() ? JNLPRuntime.getDefaultUpdatePolicy()
>> > + : UpdatePolicy.FORCE);
>> > +
>> > + try {
>> > + signer.verifyJars(eachJar, tracker);
>> > +
>> > + if (signer.allJarsSigned()) { //If the jar is signed
>> > + URL location = jars[i].getLocation();
>> > + File localFile = tracker.getCacheFile(location);
>> > +
>> > + if (localFile != null) {
> There is a security issue here -- what if local file is null? Then no check will happen?
>
>> > + try {
>> > + JarFile jarFile = new JarFile(localFile);
>> > + Enumeration<JarEntry> entries = jarFile.entries();
>> > + JarEntry je;
>> > +
>> > + while (entries.hasMoreElements()) {
>> > + je = entries.nextElement();
>> > + String jeName = je.getName().toUpperCase();
>> > +
>> > + if (jeName.equals(template) || jeName.equals(application)) {
>> > +
> The specification states that the file names should be recognized
> regardless of case. The above code does not allow that.
>
> ...
>
>> > +
>> > + if (jeName.equals(application)) {
>> > +
>> > + if (JNLPRuntime.isDebug())
>> > + System.out
>> > + .println("\tAPPLICATION.JNLP has been located within signed JAR. Starting verfication...");
>> > +
>> > + try {
>> > + verify = JNLPVerify.getInstanceOf(inputReader,
>> > + jnlpReader, false);
>> > + if (!verify.compare())
>> > + throw new JNLPVerifyException(
>> > + "Signed APPLICATION did not match launching JNLP File");
>> > + if (JNLPRuntime.isDebug())
>> > + System.out
>> > + .println("\t** Application Verification Successful **");
>> > + break; //break while loop
>> > + } catch (Exception e) {
>> > + throw new JNLPVerifyException(e.getMessage());
>> > + }
>> > + }
>> > +
>> > + if (jeName.equals(template)) {
>> > +
>> > + if (JNLPRuntime.isDebug())
>> > + System.out
>> > + .println("\tAPPLICATION_TEMPLATE.JNLP has been located within signed JAR. Starting verfication...");
>> > +
>> > + try {
>> > + verify = JNLPVerify.getInstanceOf(inputReader,
>> > + jnlpReader, true);
>> > +
>> > + if (!verify.compare())
>> > + throw new JNLPVerifyException(
>> > + "Signed APPLICATION_TEMPLATE did not match launching JNLP File");
>> > + if (JNLPRuntime.isDebug())
>> > + System.out
>> > + .println("\t** Template Verification Successful **");
>> > + break; //break while loop
>> > + } catch (Exception e) {
>> > + throw new JNLPVerifyException(e.getMessage());
>> > + }
>> > + }
>> > + }
> The code is being unnecessarily duplicated depending on whether it is a
> template or an application jnlp. Instead of the above, a boolean like
> 'isTemplate' (which can then be passed to instanceOf) would be better.
>
> ...
>
>> > +
>> > +class JNLPVerifyException extends Exception
>> > +{
>> > + private static final long serialVersionUID = 1L;
>> > +
>> > + JNLPVerifyException(String message)
>> > + {
>> > + super(message);
>> > + }
>> > +}
> Just to doubly enforce what Jiri said -- yes, definitely in a separate
> file please :)
>
>> > diff -r e0741a8c44b6 netx/net/sourceforge/nanoxml/XMLElement.java
>> > --- a/netx/net/sourceforge/nanoxml/XMLElement.java Tue Jun 14 13:30:55 2011 -0400
>> > +++ b/netx/net/sourceforge/nanoxml/XMLElement.java Thu Jun 23 15:57:15 2011 -0400
>> > @@ -1166,7 +1166,7 @@
>> > * @param pout The PipedOutputStream that will be receiving the filtered
>> > * xml file.
>> > */
>> > - public void sanitizeInput(InputStreamReader isr, PipedOutputStream pout) {
>> > + public void sanitizeInput(Reader isr, PipedOutputStream pout) {
> This is changing nanoxml code. And it is not needed anyway. In
> JNLPClassLoader you are creating an InputStreamReader, which is then
> being upcasted to Reader in the JNLPVerify's constructor. If you use
> InputStreamReader in JNLPVerify, the above change to XMLElement is not
> needed.
>
> Cheers,
> Deepak
More information about the distro-pkg-dev
mailing list