[RFC][icedtea-web] Fix JarSigner to check that cert start dates have passed

Deepak Bhole dbhole at redhat.com
Mon Apr 2 08:11:07 PDT 2012 

* Danesh Dadachanji <ddadacha at redhat.com> [2012-04-02 11:06]:
> 
> On 30/03/12 05:22 PM, Deepak Bhole wrote:
> >* Danesh Dadachanji<ddadacha at redhat.com>  [2012-03-30 17:04]:
> >>On 30/03/12 04:20 PM, Deepak Bhole wrote:
> >>>* Danesh Dadachanji<ddadacha at redhat.com>   [2012-03-30 16:02]:
> >>>>Hi,
> >>>>
> >>>>Currently, JarSigner never sets notYetValidCert to true, the
> >>>>notBefore date is never checked when sorting out the certificates.
> >>>>If it were true, the certificate would be considered as having
> >>>>signing issues and all the unverified prompts would start
> >>>>triggering. Attached is a patch to fix this, everything else is
> >>>>already taken care of WRT notYetValidCert being checked in other
> >>>>places.
> >>>>
> >>>>ChangeLog
> >>>>+2012-03-30  Danesh Dadachanji<ddadacha at redhat.com>
> >>>>+
> >>>>+	Certificate start dates are not being checked, they are still verified
> >>>>+	even if the date has yet not been reached.
> >>>>+	* netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): If the start
> >>>>+	date is in the future, set notYetValidCert to true.
> >>>>+
> >>>>
> >>>>
> >>>>Okay for HEAD? Thoughts on backporting? I don't think this should
> >>>>wait to be backported since currently it is verifying certificates
> >>>>it should not be letting through, misleading users when dialogs
> >>>>prompt.
> >>>>
> >>>
> >>>I think this one is fine for 1.1 and 1.2 in addition to HEAD.
> >>
> >>Bah noticed a bug in the patch, if the cert expires in 6 months or
> >>less, that flag is set and the notYetValidCert isn't. I tested it
> >>with a 365 day valid cert the first time around. :S
> >>
> >
> >This looks fine. Btw, do we really need a warning for something about to
> >expire? Until it expires, the cert is completely valid. Perhaps we
> >should remove it?
> 
> I don't see the warning being too troublesome if it's not directly
> shown to the user. It's only shown if you click on More Information.
> It also doesn't affect whether or not the cert is verified so I
> would guess most users don't even notice it if the signer is fine.
> =) Perhaps we should change the icon associated with it to be more
> friendly (currently the warning one with the yellow triangle and
> "!"). What do you think?
>

+1 for changing icon then, but that would be a separate patch.

This one is OK for 1.1, 1.2 and HEAD.

Cheers,
Deepak

More information about the distro-pkg-dev mailing list