[icedtea-web] RFC: PR822: Applets fail to load if jars have different signers

[Danesh Dadachanji]

On 27/01/12 04:01 PM, Omair Majid wrote:
> On 01/26/2012 02:55 PM, Deepak Bhole wrote:
>> Hi,
>>
>> This patch fixes PR822:
>> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=822
>>
>> It makes it so that applets do not require all jars to have a single
>> signer (which is not mandated by the spec). After the patch, sites like
>> the one mentioned in the bug (https://bcee.snet.lu/) now work.
>>
>> ChangeLog:
>> 2012-01-26 Deepak Bhole<dbhole at redhat.com>
>>
>> PR822: Applets fail to load if jars have different signers
>> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>> (initializeResources): Ensure that there is a single signer only for Web
>> Start applications and not for applets.
>> * netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): Ensure that
>> a given jar is signed throughout by at least one common certificate.
>>
>> Okay for 1.2 and HEAD?
>>
>
> A minor comment below.
>
>> diff -r b901442e9ba4
>> netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Jan
>> 25 16:42:27 2012 +0100
>> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu Jan
>> 26 14:44:54 2012 -0500
>> @@ -470,8 +470,15 @@
>> R("LCInit"), R("LFatalVerification"), R("LFatalVerificationInfo"));
>> }
>>
>> - //Case when at least one jar has some signing
>> - if (js.anyJarsSigned()&& js.isFullySignedByASingleCert()) {
>> + // Case when at least one jar has some signing
>> + // For permissions to be given, we need:
>> + // 1. Something is signed
>> + // 2. This is an applet
>> + // 3. OR, if this is NOT an applet, all jars have the same signer
>
> Something I am not sure about: are we supposed to run applets that
> consist of unsigned + signed jars? This if statement might have to be
> tweaked a bit.
>

Please see my other email, I've explained it there!

Cheers,
Danesh