[RFC][icedtea-web] Fix JarSigner to check that cert start dates have passed
Danesh Dadachanji
ddadacha at redhat.com
Mon Apr 2 08:32:30 PDT 2012
On 02/04/12 11:11 AM, Deepak Bhole wrote:
> * Danesh Dadachanji<ddadacha at redhat.com> [2012-04-02 11:06]:
>>
>> On 30/03/12 05:22 PM, Deepak Bhole wrote:
>>> * Danesh Dadachanji<ddadacha at redhat.com> [2012-03-30 17:04]:
>>>> On 30/03/12 04:20 PM, Deepak Bhole wrote:
>>>>> * Danesh Dadachanji<ddadacha at redhat.com> [2012-03-30 16:02]:
>>>>>> Hi,
>>>>>>
>>>>>> Currently, JarSigner never sets notYetValidCert to true, the
>>>>>> notBefore date is never checked when sorting out the certificates.
>>>>>> If it were true, the certificate would be considered as having
>>>>>> signing issues and all the unverified prompts would start
>>>>>> triggering. Attached is a patch to fix this, everything else is
>>>>>> already taken care of WRT notYetValidCert being checked in other
>>>>>> places.
>>>>>>
>>>>>> ChangeLog
>>>>>> +2012-03-30 Danesh Dadachanji<ddadacha at redhat.com>
>>>>>> +
>>>>>> + Certificate start dates are not being checked, they are still verified
>>>>>> + even if the date has yet not been reached.
>>>>>> + * netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): If the start
>>>>>> + date is in the future, set notYetValidCert to true.
>>>>>> +
>>>>>>
>>>>>>
>>>>>> Okay for HEAD? Thoughts on backporting? I don't think this should
>>>>>> wait to be backported since currently it is verifying certificates
>>>>>> it should not be letting through, misleading users when dialogs
>>>>>> prompt.
>>>>>>
>>>>>
>>>>> I think this one is fine for 1.1 and 1.2 in addition to HEAD.
>>>>
>>>> Bah noticed a bug in the patch, if the cert expires in 6 months or
>>>> less, that flag is set and the notYetValidCert isn't. I tested it
>>>> with a 365 day valid cert the first time around. :S
>>>>
>>>
>>> This looks fine. Btw, do we really need a warning for something about to
>>> expire? Until it expires, the cert is completely valid. Perhaps we
>>> should remove it?
>>
>> I don't see the warning being too troublesome if it's not directly
>> shown to the user. It's only shown if you click on More Information.
>> It also doesn't affect whether or not the cert is verified so I
>> would guess most users don't even notice it if the signer is fine.
>> =) Perhaps we should change the icon associated with it to be more
>> friendly (currently the warning one with the yellow triangle and
>> "!"). What do you think?
>>
>
> +1 for changing icon then, but that would be a separate patch.
>
Alright, I'll take a look at the other ones we have and implement this
after the other changes to JarSigner are made.
> This one is OK for 1.1, 1.2 and HEAD.
>
Thanks! Pushed here:
http://icedtea.classpath.org/hg/icedtea-web/rev/eb3a40549623
http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/9c0e0aec8ac8
http://icedtea.classpath.org/hg/release/icedtea-web-1.1/rev/4672053d61e0
Cheers,
Danesh
More information about the distro-pkg-dev
mailing list