[icedtea-web] RFC: PR822: Applets fail to load if jars have different signers
Omair Majid
omajid at redhat.com
Fri Jan 27 13:01:48 PST 2012
On 01/26/2012 02:55 PM, Deepak Bhole wrote:
> Hi,
>
> This patch fixes PR822:
> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=822
>
> It makes it so that applets do not require all jars to have a single
> signer (which is not mandated by the spec). After the patch, sites like
> the one mentioned in the bug (https://bcee.snet.lu/) now work.
>
> ChangeLog:
> 2012-01-26 Deepak Bhole<dbhole at redhat.com>
>
> PR822: Applets fail to load if jars have different signers
> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> (initializeResources): Ensure that there is a single signer only for Web
> Start applications and not for applets.
> * netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): Ensure that
> a given jar is signed throughout by at least one common certificate.
>
> Okay for 1.2 and HEAD?
>
A minor comment below.
> diff -r b901442e9ba4 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Jan 25 16:42:27 2012 +0100
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu Jan 26 14:44:54 2012 -0500
> @@ -470,8 +470,15 @@
> R("LCInit"), R("LFatalVerification"), R("LFatalVerificationInfo"));
> }
>
> - //Case when at least one jar has some signing
> - if (js.anyJarsSigned()&& js.isFullySignedByASingleCert()) {
> + // Case when at least one jar has some signing
> + // For permissions to be given, we need:
> + // 1. Something is signed
> + // 2. This is an applet
> + // 3. OR, if this is NOT an applet, all jars have the same signer
Something I am not sure about: are we supposed to run applets that
consist of unsigned + signed jars? This if statement might have to be
tweaked a bit.
Other than that, this looks fine to me.
Cheers,
Omair
More information about the distro-pkg-dev
mailing list