[RFC][icedtea-web] Fix JarSigner to check that cert start dates have passed
Danesh Dadachanji
ddadacha at redhat.com
Fri Mar 30 12:59:58 PDT 2012
Hi,
Currently, JarSigner never sets notYetValidCert to true, the notBefore
date is never checked when sorting out the certificates. If it were
true, the certificate would be considered as having signing issues and
all the unverified prompts would start triggering. Attached is a patch
to fix this, everything else is already taken care of WRT
notYetValidCert being checked in other places.
ChangeLog
+2012-03-30 Danesh Dadachanji <ddadacha at redhat.com>
+
+ Certificate start dates are not being checked, they are still verified
+ even if the date has yet not been reached.
+ * netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): If the start
+ date is in the future, set notYetValidCert to true.
+
Okay for HEAD? Thoughts on backporting? I don't think this should wait
to be backported since currently it is verifying certificates it should
not be letting through, misleading users when dialogs prompt.
Cheers,
Danesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not-yet-valid-certs.patch
Type: text/x-patch
Size: 1299 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120330/0813e979/not-yet-valid-certs.patch
More information about the distro-pkg-dev
mailing list