[RFC][icedtea-web] Fix JarSigner to check that cert start dates have passed
Deepak Bhole
dbhole at redhat.com
Fri Mar 30 13:20:49 PDT 2012
* Danesh Dadachanji <ddadacha at redhat.com> [2012-03-30 16:02]:
> Hi,
>
> Currently, JarSigner never sets notYetValidCert to true, the
> notBefore date is never checked when sorting out the certificates.
> If it were true, the certificate would be considered as having
> signing issues and all the unverified prompts would start
> triggering. Attached is a patch to fix this, everything else is
> already taken care of WRT notYetValidCert being checked in other
> places.
>
> ChangeLog
> +2012-03-30 Danesh Dadachanji <ddadacha at redhat.com>
> +
> + Certificate start dates are not being checked, they are still verified
> + even if the date has yet not been reached.
> + * netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): If the start
> + date is in the future, set notYetValidCert to true.
> +
>
>
> Okay for HEAD? Thoughts on backporting? I don't think this should
> wait to be backported since currently it is verifying certificates
> it should not be letting through, misleading users when dialogs
> prompt.
>
I think this one is fine for 1.1 and 1.2 in addition to HEAD.
Cheers,
Deepak
More information about the distro-pkg-dev
mailing list