[RFC][icedtea-web] Use global JarCertVerifier in JNLPClassLoader

Danesh Dadachanji ddadacha at redhat.com
Wed May 16 15:24:33 PDT 2012 

Hi,

The attached patches make JNLPClassLoader use a global JCV to ensure we can actually check the app is signed entirely by at least one 
common signer. Currently, the classloader does not maintain verification of jars loaded upon main initialization vs jars loaded at 
runtime. Therefore, we are not actually able to enforce an application to be signed entirely by one signer.

The application may initially be signed entirely (i.e. all resources/archives specified have a common signer) but then as classes are 
loaded at runtime (e.g. via manifest classpath), these are not verified along with the original jars. A new JarCertVerifier is used to 
verify each set.

I used an instance var per JNLPClassLoader to keep track of all the jars verified thus far. Each JNLPClassLoader keeps track of its own 
app's jars so when JNLP extensions are specified, a new JNLPClassLoader is created. This ensures there can be separate signers between 
different JNLPs.

The current method to determine if a jar is signed completely was to check against JarCertVerifier#anyJarSigned. This method is 
somewhat flawed. If any single entry is signed then this method returns true. However, if one entry of a jar is signed and another 
unsigned, then the jar is considered unsigned, as is the app as a whole. Therefore, I have included JarCertVerifier#isFullySigned in 
the conditional as well to ensure the app is in fact fully signed.

Another change is the removal of permission checking of nested jars. If the entry of the nested jar is signed, then we should assume 
that the person signing the jar trusts it to do whatever it must. The nested jar is given the same security context as its parent jar.

I've extensively tested this against a combination of singed/unsigned entries in 
resource/archive-specified/nested/manifest-classpath/extension jars using JNLPs, the applet tag, javaws and jnlp_href, as well as many 
duplicate jars. I have also run through all the regression tests for HEAD, 1.2 and 1.1, everything ran fine.

I propose the following patches to HEAD, 1.2 and 1.1.

ChangeLog: (s/JarCertVerifier/JarSigner/g for release branches)
+2012-05-16  Danesh Dadachanji <ddadacha at redhat.com>
+
+	Use a global JarCertVerifier in the classloader to keep track of every
+	jar that has been verified.
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+	(addNewJar), (initializeResources), (verifySignedJNLP):
+	Replaced use of local JarCertVerifier variable with the instance  variable.
+	Added calls to isFullySigned wherever signer verification is done.
+	(activateJars): No longer verifies nested jars. These receive the same
+	security permissions as their parent jar, regardless of the nested
+	jar's signing.
+	(verifyJars): Removed.
+	* netx/net/sourceforge/jnlp/tools/JarCertVerifier.java:
+	(add): New public method that resets some instance vars and
+	calls verifyJars.
+	(verifyJars): Modifier changed to private, above method should be used.
+	(isFullySignedByASingleCert): renamed to isFullySigned.
+

A note for 1.1, it does not have the changeset that brought in verification of a signed JNLP as a jar entry so those 2 hunks are 
removed. Also, 1.1 and 1.2 are still using JarSigner instead of JarCertVerifier so I have accounted for that. Apart from these, the 
patches are identical in logic. All three patches attached.

Any and all comments much appreciated! Please especially ask of a testcase if you have one in mind.

Cheers,
Danesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: global-jcv-in-jnlp-classloader-HEAD-01.patch
Type: text/x-patch
Size: 10058 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120516/5acc6a14/global-jcv-in-jnlp-classloader-HEAD-01.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: global-jcv-in-jnlp-classloader-1.1-01.patch
Type: text/x-patch
Size: 9216 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120516/5acc6a14/global-jcv-in-jnlp-classloader-1.1-01.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: global-jcv-in-jnlp-classloader-1.2-01.patch
Type: text/x-patch
Size: 9216 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120516/5acc6a14/global-jcv-in-jnlp-classloader-1.2-01.patch

More information about the distro-pkg-dev mailing list