[RFC][icedtea-web] Signed JNLP file: added regression tests
Saad Mohammad
smohammad at redhat.com
Mon May 28 10:03:36 PDT 2012
Hello,
The attached patches contains the suggested changes and some additional
tests requested from the previous email. The three patches tests the
launch of applications with:
1) A signed JNLP application/template file
2) An unsigned JNLP application/template file
3) A signed jnlp application/template file with case
insensitive filenames
I'm currently working on adding a few more tests that will test
applications with multiple jars. These tests will be sent in another
email very soon :)
Changelog entry is also attached as requested.
On 05/23/2012 09:44 AM, Jiri Vanek wrote:
> On 05/22/2012 09:33 PM, Saad Mohammad wrote:
>> Hi,
>>
>> The patch attached tests the launch of applications with a signed JNLP
>> file using matching and
>> non-matching JNLP launch files.
>>
>
> Hi Saad!
>
> Looks great! Your sin is half a redeemed;o)
>
> I have one questions and two minor, but a lot of affecting issues
>
> Issues - Can we handle naming convention
> (http://www.oracle.com/technetwork/java/codeconv-138413.html) for
> classes and methods?
> - The classes should be in CamelCase So eg no "SignedJNLPTemplateTest"
> but "SignedJnlpTemplateTest". I would recommend also renaming of
> directories to keep the name consistent as you have it nicely now.
> - methods should not start with capital letter.
> I know that those two errors leaked in past to reproducers but it would
> be nice to have it correct in new files.
Names have been updated in the current patch..
> - APPLICATION_TEMPLATE.JNLP/APPLICATION.JNLP should be case insensitive.
> Can you test it?
Requested tests have been added!
> Q: I thought that jnlp signing is working like this:
> 1 - (I'm unsure here) signed jar with JNLP-INF/* and unsigned jar with
> the (signed?) same/tempalte_matching jnlp file.
> So to test it properly you need to us two jars - signed and unsigned.
> And ensure that the second one obtains rights or launch terminate.
> 2 - or (more probably, but I'm still lost in this signing) just jnlp
> file (and few others BUT NOT whole jar) should be signed in jar and the
> rest is evaluated by comparison of launching jnlp and signed jnlp inside.
>
> What jnlp test engine is doing is that it signs whole jar. So In my (I
> hope wrong!) opinion your tests are actually not testing jnlp signing
> (as whole jar is signed). But exception looks correct, so I hope I'm
> completely wrong :)
>
For IcedTea-Web to check for a signed JNLP file, the whole jar must be
signed. So applications with ONLY JNLP-INF/* signed will not trigger
IcedTea-Web to check for a signed JNLP file because the whole jar is
considered as unsigned. Therefore tests with just JNLP-INF/* signed are
not required in this case. However tests with multiple jars for a single
application are and will come very soon.
[FYI]
The purpose of signing a JNLP file within the jar is for developers to
ensure that the JNLP file being used to launch their code is the same as
the one they expect it to be. This way if someone does decide to change
the launching JNLP file maliciously, the launching application will be
immediately terminated.
Also, another thing to note, if the application requires a special
property and there is no signed jnlp file, a warning is displayed on the
security dialog box.
There are two ways of signing a JNLP file:
1) One of the way is to store the exact copy of the launching
JNLP file in the signed jar as JNLP-INF/APPLICATION.jnlp
If the launching JNLP file is not an exact match of
JNLP-INF/APPLICATION.jnlp then the application is aborted
and not launched
2) Another way of signing a JNLP file is by storing a template
within the jar as JNLP-INF/APPLICATION_TEMPLATE.jnlp. The
template allows you to have '*' as values for elements and
attributes. Which means that when the signed JNLP file is
being compared to the launching JNLP file, it will accept
any attribute value that are marked as a '*' in the
template.
Section 5.4 of the specification has more detail!
||
||
||
\/
>
> Thanx for explanations!
>
> J.
>
>
> I have added citation from spec:
> 5.4 Signed Applications
>
> The signing infrastructure for JNLP is built on top of the existing
> signing infrastructure for the Java 2 Platform. The Java 2 Platform
> supports signed JAR files. A JAR file can be signed and verified using,
> e.g., the standard jarsigner tool from the Java 2 SDK.
>
> An application launched by a JNLP Client is considered to be signed, if
> and only if:
>
> All the JAR files are signed (both for jar and nativelib elements) and
> can be verified. A JAR file is signed if all the entries (excluding
> manifest entries, the signature iteself, and empty directories) are
> signed by a single signature.
> If a signed version of the JNLP file exists, then it must be verified,
> and it must match the JNLP file used to launch the application. This is
> described in the following subsection.
> The same certificate is used to sign all JAR files (jar and nativelib
> elements) that are part of a single JNLP file. This simplifies user
> management since only one certificate needs to be presented to the user
> during a launch per JNLP file (and hardly restricts the signing process
> in practice).
> The certificate used for signing the JAR files and JNLP file (if signed)
> must be verified against a set of trusted root certificates.
>
> How the set of trusted root certificates are obtained depends on the
> particular JNLP Client implementation. Typically, a JNLP Client will be
> shipped with a set of trusted root certificates for all the major
> Certificate Authorities (CAs).
>
> The JNLP Client must check a JAR file for signing information before it
> is used, i.e., before a class file or another resource is retrieved from
> it. If a JAR file is signed and the digital signature does not verify,
> the application must be aborted. For a lazily downloaded JAR file, i.e.,
> a JAR file that is downloaded after the application is launched, this
> might require aborting an already-running application.
> 5.4.1 Signing of JNLP Files
>
> A JNLP file can optionally be signed. A JNLP Client must check if a
> signed version of the JNLP file or JNLP template exist, and if so,
> verify that at least one of them match the JNLP file that is used to
> launch the application. If a match is not found (see below), then the
> launch must be aborted. If no signed JNLP file or JNLP template exist,
> then the JNLP file is not signed, and no check needs to be performed.
>
> A JNLP file is signed either by including a copy of it in the signed
> main JAR file, or by including a matching (see below) template file in
> the signed main JAR file.
> For the first method, the signed copy must be named:
> JNLP-INF/APPLICATION.JNLP. The APPLICATION.JNLP filename should be
> generated in upper case, but should be recognized in either upper or
> lower case. To match, the signed JNLP file must contain exactly the same
> XML elements and attributes, with identical values, as the JNLP file
> used to launch the application.
>
> For the second method the signed copy must be named
> JNLP-INF/APPLICATION_TEMPLATE.JNLP. The APPLICATION_TEMPLATE.JNLP
> filename should be generated in upper case, but should be recognized in
> either upper or lower case. The template (APPLICATION_TEMPLATE.JNLP) may
> have fields for CDATA arguments or values denoted as "*". The signed
> template must have exactly the same elements and arguments as the JNLP
> file used to launch the app, and the value of each element and attribute
> must "match" as described below. An element value or attribute value
> matches if either the value in the template is identical to the value in
> the JNLP file used to launch the app, or all of the following are true:
>
> 1.) The element or attribute is defined (in the DTD in appendix C) to be
> of type CDATA (for attributes) or #PCDATA (for elements).
> 2.) The element or attribute value in the signed template is "*"
> 3.) The element or attribute value is not blacklisted or restricted by
> the JNLP Client.
>
> It is expected that a JNLP Client will blacklist (or restrict) certain
> jnlp elements and argument values such as "java-vm-args" or property
> "name" and "value" to maintain security. The exact list is up to the
> individual JNLP Client implementations.
>
> As an example, the following APPLICATION_TEMPLATE.JNLP could be used to
> host an application on various hosts with different icons:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <jnlp codebase="*">
> <information>
> <title>Draw!</title>
> <vendor>My Web Company</vendor>
> <icon href="*"/>
> <offline-allowed/>
> </information>
> <resources>
> <java version="1.3+"/>
> <jar href="draw.jar"/>
> </resources>
> <application-desc main-class="com.mysite.Draw"/>
> </jnlp>
>
> An Application with the above contents in
> JNLP-INF/APPLICATION_TEMPLATE.JNLP in it's main jar could be moved from
> one server to another, or could change it's icon without resigning the
> main jar.
>
> As described above, a JNLP file is not required to be signed in order
> for an application to be signed. This is similar to the behavior of
> Applets, where the Applet tags in the HTML pages are not signed, even
> when granting unrestricted access to the Applet.
After doing some research, it seems to me that Oracle is a bit strict
with signed jnlp files. When the launching application contains an
application or an application template file (regardless of whether it is
signed or UNSIGNED), it will validates the jnlp file with the launching
jnlp file. IcedTea-Web does not behave this way and only checks a signed
jnlp file if the complete jar file is signed. After reading the above
specification, I feel that IcedTea-Web behaviour is much more
appropriate. Any thoughts?
--
Saad Mohammad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: upatch01.patch
Type: text/x-patch
Size: 68119 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120528/4baf7acb/upatch01.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: caseTest01.patch
Type: text/x-patch
Size: 28024 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120528/4baf7acb/caseTest01.patch
-------------- next part --------------
2012-05-28 Saad Mohammad <smohammad at redhat.com>
Added signed jnlp file regression tests.
* tests/jnlp_tests/signed/SignedJnlpApplication/resources/SignedJnlpApplication1.jnlp:
Launching jnlp file that matches the signed jnlp application file.
* tests/jnlp_tests/signed/SignedJnlpApplication/resources/SignedJnlpApplication2.jnlp:
* tests/jnlp_tests/signed/SignedJnlpApplication/resources/SignedJnlpApplication3.jnlp:
* tests/jnlp_tests/signed/SignedJnlpApplication/resources/SignedJnlpApplication4.jnlp:
* tests/jnlp_tests/signed/SignedJnlpApplication/resources/SignedJnlpApplication5.jnlp:
* tests/jnlp_tests/signed/SignedJnlpApplication/resources/SignedJnlpApplication6.jnlp:
* tests/jnlp_tests/signed/SignedJnlpApplication/resources/SignedJnlpApplication7.jnlp:
* tests/jnlp_tests/signed/SignedJnlpApplication/resources/SignedJnlpApplication8.jnlp:
Launching jnlp file that does not match the signed jnlp application file.
* tests/jnlp_tests/signed/SignedJnlpApplication/srcs/JNLP-INF/APPLICATION.jnlp:
Signed jnlp application file.
* tests/jnlp_tests/signed/SignedJnlpApplication/srcs/SignedJnlpApplication.java:
A simple java class that outputs a string.
* tests/jnlp_tests/signed/SignedJnlpApplication/testcases/SignedJnlpApplicationTest.java:
Testcase that tests the launching of applications with a signed jnlp application file.
* tests/jnlp_tests/signed/SignedJnlpTemplate/resources/SignedJnlpTemplate1.jnlp:
Launching jnlp file that matches the signed jnlp application template file.
* tests/jnlp_tests/signed/SignedJnlpTemplate/resources/SignedJnlpTemplate2.jnlp:
* tests/jnlp_tests/signed/SignedJnlpTemplate/resources/SignedJnlpTemplate3.jnlp:
* tests/jnlp_tests/signed/SignedJnlpTemplate/resources/SignedJnlpTemplate4.jnlp:
* tests/jnlp_tests/signed/SignedJnlpTemplate/resources/SignedJnlpTemplate5.jnlp:
* tests/jnlp_tests/signed/SignedJnlpTemplate/resources/SignedJnlpTemplate6.jnlp:
* tests/jnlp_tests/signed/SignedJnlpTemplate/resources/SignedJnlpTemplate7.jnlp:
* tests/jnlp_tests/signed/SignedJnlpTemplate/resources/SignedJnlpTemplate8.jnlp:
Launching jnlp file that does not match the signed jnlp application template file.
* tests/jnlp_tests/signed/SignedJnlpTemplate/srcs/JNLP-INF/APPLICATION_TEMPLATE.jnlp:
Signed jnlp application template file.
* tests/jnlp_tests/signed/SignedJnlpTemplate/srcs/SignedJnlpTemplate.java:
A simple java class that outputs a string.
* tests/jnlp_tests/signed/SignedJnlpTemplate/testcases/SignedJnlpTemplateTest.java:
Testcase that tests the launching of applications with a signed jnlp application template file.
* tests/jnlp_tests/simple/UnsignedJnlpApplication/resources/UnsignedJnlpApplication1.jnlp:
Launching jnlp file that matches the unsigned jnlp application file.
* tests/jnlp_tests/simple/UnsignedJnlpApplication/resources/UnsignedJnlpApplication2.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpApplication/resources/UnsignedJnlpApplication3.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpApplication/resources/UnsignedJnlpApplication4.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpApplication/resources/UnsignedJnlpApplication5.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpApplication/resources/UnsignedJnlpApplication6.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpApplication/resources/UnsignedJnlpApplication7.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpApplication/resources/UnsignedJnlpApplication8.jnlp:
Launching jnlp file that does not match the unsigned jnlp application file.
* tests/jnlp_tests/simple/UnsignedJnlpApplication/srcs/JNLP-INF/APPLICATION.jnlp:
Unsigned jnlp application file.
* tests/jnlp_tests/simple/UnsignedJnlpApplication/srcs/UnsignedJnlpApplication.java:
A simple java class that outputs a string.
* tests/jnlp_tests/simple/UnsignedJnlpApplication/testcases/UnsignedJnlpApplicationTest.java:
Testcase that tests the launching of applications with an unsigned jnlp application file.
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/resources/UnsignedJnlpTemplate1.jnlp:
Launching jnlp file that matches the unsigned jnlp application template file.
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/resources/UnsignedJnlpTemplate2.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/resources/UnsignedJnlpTemplate3.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/resources/UnsignedJnlpTemplate4.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/resources/UnsignedJnlpTemplate5.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/resources/UnsignedJnlpTemplate6.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/resources/UnsignedJnlpTemplate7.jnlp:
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/resources/UnsignedJnlpTemplate8.jnlp:
Launching jnlp file that does not match the unsigned jnlp application template file.
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/srcs/JNLP-INF/APPLICATION_TEMPLATE.jnlp:
Unsigned jnlp application template file.
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/srcs/UnsignedJnlpTemplate.java:
A simple java class that outputs a string.
* tests/jnlp_tests/simple/UnsignedJnlpTemplate/testcases/UnsignedJnlpTemplateTest.java:
Testcase that tests the launching of applications with an unsigned jnlp application template file.
* tests/jnlp_tests/signed/SignedJnlpCaseTestOne/resources/SignedJnlpCaseTestOne1.jnlp:
Launching jnlp file that matches the signed jnlp application file.
* tests/jnlp_tests/signed/SignedJnlpCaseTestOne/resources/SignedJnlpCaseTestOne2.jnlp:
Launching jnlp file that does not match the signed jnlp application file.
* tests/jnlp_tests/signed/SignedJnlpCaseTestOne/srcs/JNLP-INF/aPpLiCaTioN.jnlp:
Signed jnlp application file.
* tests/jnlp_tests/signed/SignedJnlpCaseTestOne/srcs/SignedJnlpCase.java:
A simple java class that outputs a string.
* tests/jnlp_tests/signed/SignedJnlpCaseTestOne/testcases/SignedJnlpCaseOneTest.java:
Testcase that tests the case-sensitivity of the signed jnlp application's filename.
* tests/jnlp_tests/signed/SignedJnlpCaseTestTwo/resources/SignedJnlpCaseTestTwo1.jnlp:
Launching jnlp file that matches the signed jnlp application template file.
* tests/jnlp_tests/signed/SignedJnlpCaseTestTwo/resources/SignedJnlpCaseTestTwo2.jnlp:
Launching jnlp file that does not match the signed jnlp application template file.
* tests/jnlp_tests/signed/SignedJnlpCaseTestTwo/srcs/JNLP-INF/aPpLiCaTiOn_tEmPlAte.jnlp:
Signed jnlp application template file.
* tests/jnlp_tests/signed/SignedJnlpCaseTestTwo/srcs/SignedJnlpCase.java:
A simple java class that outputs a string.
* tests/jnlp_tests/signed/SignedJnlpCaseTestTwo/testcases/SignedJnlpCaseTwoTest.java:
Testcase that tests the case-sensitivity of the signed jnlp application template's filename.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signedTests.patch
Type: text/x-patch
Size: 74094 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120528/4baf7acb/signedTests.patch
More information about the distro-pkg-dev
mailing list