/hg/release/icedtea-web-1.1: RH738814: Access denied at ssl hand...

omajid at icedtea.classpath.org omajid at icedtea.classpath.org
Fri Sep 23 09:14:57 PDT 2011 

changeset 0a1733685325 in /hg/release/icedtea-web-1.1
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.1?cmd=changeset;node=0a1733685325
author: Omair Majid <omajid at redhat.com>
date: Fri Sep 23 12:14:39 2011 -0400

	RH738814: Access denied at ssl handshake

	It turns out that TrustManager.checkTrusted() could be called by
	untrusted code. In such a case, we should still show a warning to
	the user, and not throw a SecurityException instead.

	2011-09-23 Omair Majid <omajid at redhat.com>

	 * netx/net/sourceforge/jnlp/security/SecurityDialogs.java
	(showCertWarningDialog): Add a javadoc comment.
	    * netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
	(askUser): Wrap the call to showCertWarningDialog in a doPrivileged
	block.


diffstat:

 ChangeLog                                                        |   9 +++++
 NEWS                                                             |   1 +
 netx/net/sourceforge/jnlp/security/SecurityDialogs.java          |   2 +
 netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java |  18 +++++++--
 4 files changed, 25 insertions(+), 5 deletions(-)

diffs (78 lines):

diff -r c7b22b085229 -r 0a1733685325 ChangeLog
--- a/ChangeLog	Tue Sep 13 16:23:04 2011 -0400
+++ b/ChangeLog	Fri Sep 23 12:14:39 2011 -0400
@@ -1,3 +1,12 @@
+2011-09-23  Omair Majid  <omajid at redhat.com>
+
+	RH738814: Access denied at ssl handshake
+	* netx/net/sourceforge/jnlp/security/SecurityDialogs.java
+	(showCertWarningDialog): Add a javadoc comment.
+	* netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
+	(askUser): Wrap the call to showCertWarningDialog in a doPrivileged
+	block.
+
 2011-09-13  Deepak Bhole <dbhole at redhat.com>
 
 	PR782: Support building against npapi-sdk as well
diff -r c7b22b085229 -r 0a1733685325 NEWS
--- a/NEWS	Tue Sep 13 16:23:04 2011 -0400
+++ b/NEWS	Fri Sep 23 12:14:39 2011 -0400
@@ -20,6 +20,7 @@
   - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up
   - PR769: IcedTea-Web does not work with some ssl sites with OpenJDK7
   - RH734081: Javaws cannot use proxy settings from Firefox
+  - RH738814: Access denied at ssl handshake
 
 New in release 1.1.1 (2011-07-20):
 * Security updates:
diff -r c7b22b085229 -r 0a1733685325 netx/net/sourceforge/jnlp/security/SecurityDialogs.java
--- a/netx/net/sourceforge/jnlp/security/SecurityDialogs.java	Tue Sep 13 16:23:04 2011 -0400
+++ b/netx/net/sourceforge/jnlp/security/SecurityDialogs.java	Fri Sep 23 12:14:39 2011 -0400
@@ -181,6 +181,8 @@
      * @param accessType the type of warning dialog to show
      * @param file the JNLPFile associated with this warning
      * @param jarSigner the JarSigner used to verify this application
+     *
+     * @return true if the user accepted the certificate
      */
     public static boolean showCertWarningDialog(AccessType accessType,
             JNLPFile file, CertVerifier jarSigner) {
diff -r c7b22b085229 -r 0a1733685325 netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
--- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java	Tue Sep 13 16:23:04 2011 -0400
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java	Fri Sep 23 12:14:39 2011 -0400
@@ -37,7 +37,9 @@
 
 package net.sourceforge.jnlp.security;
 
+import java.security.AccessController;
 import java.security.KeyStore;
+import java.security.PrivilegedAction;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -379,14 +381,20 @@
      * @param authType The authentication algorithm
      * @return user's response
      */
-    private boolean askUser(X509Certificate[] chain, String authType,
-                            boolean isTrusted, boolean hostMatched,
-                            String hostName) {
-        return SecurityDialogs.showCertWarningDialog(
+    private boolean askUser(final X509Certificate[] chain, final String authType,
+                            final boolean isTrusted, final boolean hostMatched,
+                            final String hostName) {
+        final VariableX509TrustManager trustManager = this;
+        return AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
+            @Override
+            public Boolean run() {
+                return SecurityDialogs.showCertWarningDialog(
                         AccessType.UNVERIFIED, null,
-                        new HttpsCertVerifier(this, chain, authType,
+                        new HttpsCertVerifier(trustManager, chain, authType,
                                               isTrusted, hostMatched,
                                               hostName));
+            }
+        });
     }
 
     /**

More information about the distro-pkg-dev mailing list