[RFC][icedtea-web]: Added support for signed JNLP file
Jiri Vanek
jvanek at redhat.com
Tue Jun 28 07:46:11 PDT 2011
mOn 06/28/2011 04:10 PM, Deepak Bhole wrote:
> * Jiri Vanek<jvanek at redhat.com> [2011-06-28 05:19]:
>> On 06/28/2011 12:42 AM, Deepak Bhole wrote:
>>> Hi Saad,
>>>
>
>
> Hi Jiri,
>
>> Here we are pointing into philosophic-based-java-discusion:) In case constructor throws an exception, I think factory method is much better, but it must ensure, all the "dangerous" (Exception throwing, null possible...) code to be check 'before', so possible creation in constructor will be "for sure" successful when all checks done in factory method.
>> As already mentioned, in this case the method should be createJnlpVerifier (see java naming conventions here)
>> So the code around this should at least :
>>
>
> I don't think constructors throwing checked exceptions is always a bad
> idea. java.net.URL for example does it, making the caller have to deal
> with any problems. Besides, even if wrapped in a Factory method, the
> caller will still have to deal with the exception thrown by *that*
> method..
>
> As for something like runtime exceptions being thrown
> from the constructor, ideally that should never happen (should be
> ensured by the constructor).
>
A I told, it depends on liking :) view. No problem on my side here.
> ...
>
>>>
>>> This logic seems more complex than it needs to be and is O(n^2). You can
>>> define a comparator and use Arrays.sort to sort the arrays that the
>>> getChildNodes() methods return. Then you only need to iterate over the
>>> array once -- resulting in O(nlogn) performance and much cleaner code.
>>
>> I'm not sure if this can be done in O(n log n) as I don't believe that sorting will help to much in case of comparing nodes.
>> Personally I like the approach when for each xapth is tried to find best matching xpath in second file. Ya - it is slow! but Jnlp files are small ,and verification is done for each jar only one times.
>> I have some time ago implement comparing of XML files based on sorting and it had not good results.
>
>
> Hmm, why do you say that it cannot be done in nlogn? Arrays.sort uses a
> mergesort variant and is nlogn. An additional iteration over the sorted
I thought that all across java platform (especially for Collections - for Arrays I can be wrong) is used Heap sort, and thats because It is keeping order of untouched sequences.
In our case this keeping of order is more bad then right ;)
> array would ofcourse result in nlogn + n, but thats still quite close :)
>
> I had code like this in mind:
>
> <define a comparator in XMLElement>
>
> Arrays.sort(templateChildren);
> Arrays.sort(jnlpChildren);
>
> for (int i=0...) {
> if (!compare(templateChildren[i], jnlpChildren[i]))
> return false;
> }
>
When we are speaking about common jnlps, then it _should_ work. Also there is question of comaprator upon nodes used for sorting. When it will be just alphabetical upon element name , imagine this:
<a>text1</a>
<a>text2</a>
....
<a>text2</a>
<a>text1</a>
Then the comparison will be wrong.
In case you will include also value of node - will you take just text?
<a>text1<b></b></a>
<a>text1</a>
....
<a>text1</a>
<a>text1<b></b></a>
Will be again wrong.
If you will take whole structure of children, then you will get nearly same time troubles as with original code. And you can got into troubles with:
<a>text1<b></b><c></c></a>
<a>text1</a>
....
<a>text1</a>
<a>text1<c></c><b></b></a>
when your sorting result will be again probably wrong.
I still think Saad's code is m much more bullet proof.
When we are speaking about this, are you sure that jnlps used for signature must be same in way of xml? I'm not sure about this:(
<a>text1</a>
<a>text2</a>
....
<a>text2</a>
<a>text1</a>
are same for xml point of view comparison, but for case of signature, they may be evaluated as different. (needinfo ? :) )
>
> It is probably not actually faster in real world cases where the
> template likely matches the JNLP in terms of order -- it is however
> simpler and cleaner though.
>
> Cheers,
> Deepak
>
>>>
>>> ...
>>>>> +
>>>>> + ArrayList<String> appTemplateAttributes = new ArrayList<String>(Arrays.asList(appTemplateNode.getAttributeNames()));
>>>>> + ArrayList<String> launchJNLPAttributes = new ArrayList<String>(Arrays.asList(launchJNLPNode.getAttributeNames()));
>>>>> +
>>> Same change as above can be made here.
>>
>> For attributes absolutely for sure. My comment form first post was silently ignored :)
>>>
>>> ...
>>>
>>>>>
>>>>> + if (js.anyJarsSigned()) {
>>>>> + //If there are any signed Jars, check if JNLP file is signed
>>>>> +
>>>>> + if (JNLPRuntime.isDebug())
>>>>> + System.out.println("STARTING check for signed JNLP file...");
>>>>> +
>>>>> + final String template = "JNLP-INF/APPLICATION_TEMPLATE.JNLP";
>>>>> + final String application = "JNLP-INF/APPLICATION.JNLP";
>>>>> +
>>>>> + for (int i = 0; i< jars.length; i++) {
>>>>> + List<JARDesc> eachJar = new ArrayList<JARDesc>();
>>>>> + JarSigner signer = new JarSigner();
>>>>> + eachJar.add(jars[i]); //Adds only the single jar to check if the jar has a valid signature
>>>>> +
>>>>> + tracker.addResource(jars[i].getLocation(), jars[i].getVersion(),
>>>>> + getDownloadOptionsForJar(jars[i]),
>>>>> + jars[i].isCacheable() ? JNLPRuntime.getDefaultUpdatePolicy()
>>>>> + : UpdatePolicy.FORCE);
>>>>> +
>>>>> + try {
>>>>> + signer.verifyJars(eachJar, tracker);
>>>>> +
>>>>> + if (signer.allJarsSigned()) { //If the jar is signed
>>>>> + URL location = jars[i].getLocation();
>>>>> + File localFile = tracker.getCacheFile(location);
>>>>> +
>>>>> + if (localFile != null) {
>>> There is a security issue here -- what if local file is null? Then no check will happen?
>>>
>>>>> + try {
>>>>> + JarFile jarFile = new JarFile(localFile);
>>>>> + Enumeration<JarEntry> entries = jarFile.entries();
>>>>> + JarEntry je;
>>>>> +
>>>>> + while (entries.hasMoreElements()) {
>>>>> + je = entries.nextElement();
>>>>> + String jeName = je.getName().toUpperCase();
>>>>> +
>>>>> + if (jeName.equals(template) || jeName.equals(application)) {
>>>>> +
>>> The specification states that the file names should be recognized
>>> regardless of case. The above code does not allow that.
>>>
>>> ...
>>>
>>>>> +
>>>>> + if (jeName.equals(application)) {
>>>>> +
>>>>> + if (JNLPRuntime.isDebug())
>>>>> + System.out
>>>>> + .println("\tAPPLICATION.JNLP has been located within signed JAR. Starting verfication...");
>>>>> +
>>>>> + try {
>>>>> + verify = JNLPVerify.getInstanceOf(inputReader,
>>>>> + jnlpReader, false);
>>>>> + if (!verify.compare())
>>>>> + throw new JNLPVerifyException(
>>>>> + "Signed APPLICATION did not match launching JNLP File");
>>>>> + if (JNLPRuntime.isDebug())
>>>>> + System.out
>>>>> + .println("\t** Application Verification Successful **");
>>>>> + break; //break while loop
>>>>> + } catch (Exception e) {
>>>>> + throw new JNLPVerifyException(e.getMessage());
>>>>> + }
>>>>> + }
>>>>> +
>>>>> + if (jeName.equals(template)) {
>>>>> +
>>>>> + if (JNLPRuntime.isDebug())
>>>>> + System.out
>>>>> + .println("\tAPPLICATION_TEMPLATE.JNLP has been located within signed JAR. Starting verfication...");
>>>>> +
>>>>> + try {
>>>>> + verify = JNLPVerify.getInstanceOf(inputReader,
>>>>> + jnlpReader, true);
>>>>> +
>>>>> + if (!verify.compare())
>>>>> + throw new JNLPVerifyException(
>>>>> + "Signed APPLICATION_TEMPLATE did not match launching JNLP File");
>>>>> + if (JNLPRuntime.isDebug())
>>>>> + System.out
>>>>> + .println("\t** Template Verification Successful **");
>>>>> + break; //break while loop
>>>>> + } catch (Exception e) {
>>>>> + throw new JNLPVerifyException(e.getMessage());
>>>>> + }
>>>>> + }
>>>>> + }
>>> The code is being unnecessarily duplicated depending on whether it is a
>>> template or an application jnlp. Instead of the above, a boolean like
>>> 'isTemplate' (which can then be passed to instanceOf) would be better.
>>>
>>> ...
>>>
>>>>> +
>>>>> +class JNLPVerifyException extends Exception
>>>>> +{
>>>>> + private static final long serialVersionUID = 1L;
>>>>> +
>>>>> + JNLPVerifyException(String message)
>>>>> + {
>>>>> + super(message);
>>>>> + }
>>>>> +}
>>> Just to doubly enforce what Jiri said -- yes, definitely in a separate
>>> file please :)
>>>
>>>>> diff -r e0741a8c44b6 netx/net/sourceforge/nanoxml/XMLElement.java
>>>>> --- a/netx/net/sourceforge/nanoxml/XMLElement.java Tue Jun 14 13:30:55 2011 -0400
>>>>> +++ b/netx/net/sourceforge/nanoxml/XMLElement.java Thu Jun 23 15:57:15 2011 -0400
>>>>> @@ -1166,7 +1166,7 @@
>>>>> * @param pout The PipedOutputStream that will be receiving the filtered
>>>>> * xml file.
>>>>> */
>>>>> - public void sanitizeInput(InputStreamReader isr, PipedOutputStream pout) {
>>>>> + public void sanitizeInput(Reader isr, PipedOutputStream pout) {
>>> This is changing nanoxml code. And it is not needed anyway. In
>>> JNLPClassLoader you are creating an InputStreamReader, which is then
>>> being upcasted to Reader in the JNLPVerify's constructor. If you use
>>> InputStreamReader in JNLPVerify, the above change to XMLElement is not
>>> needed.
>>>
>>> Cheers,
>>> Deepak
>>
More information about the distro-pkg-dev
mailing list