/hg/icedtea-web: 2 new changesets
aazores at icedtea.classpath.org
aazores at icedtea.classpath.org
Tue Dec 3 08:56:11 PST 2013
changeset 526fb9663b14 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=526fb9663b14
author: Andrew Azores <aazores at redhat.com>
date: Tue Dec 03 11:39:12 2013 -0500
Implement per-JAR security descriptors (PR1592)
Fix/new feature for PR1592. Each JAR in partially signed applets is
assigned its own security level, rather than forcing the entire applet to
run sandboxed.
changeset 4a9aa56d4541 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=4a9aa56d4541
author: Andrew Azores <aazores at redhat.com>
date: Tue Dec 03 11:43:04 2013 -0500
Tests for PR1592
diffstat:
ChangeLog | 38 ++
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 140 +++++---
netx/net/sourceforge/jnlp/tools/JarCertVerifier.java | 8 +
tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java | 145 +++++++++
tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java | 159 ++++++++++
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp | 61 +++
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp | 61 +++
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp | 61 +++
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp | 61 +++
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp | 61 +++
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp | 61 +++
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html | 52 +++
tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java | 89 +++++
13 files changed, 943 insertions(+), 54 deletions(-)
diffs (truncated from 1158 to 500 lines):
diff -r 9420fcc175c3 -r 4a9aa56d4541 ChangeLog
--- a/ChangeLog Mon Dec 02 16:04:32 2013 +0100
+++ b/ChangeLog Tue Dec 03 11:43:04 2013 -0500
@@ -1,3 +1,41 @@
+2013-12-03 Andrew Azores <aazores at redhat.com>
+
+ Tests for PR1592.
+ * tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java:
+ new tests for per-JAR applet security
+ * tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java:
+ same
+ * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp:
+ same
+ * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp:
+ same
+ * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp:
+ same
+ * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp:
+ same
+ * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp:
+ same
+ * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp:
+ same
+ * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html:
+ same
+ * tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java:
+ same
+
+2013-12-03 Andrew Azores <aazores at redhat.com>
+
+ Fix/new feature for PR1592. Each JAR in partially signed applets is
+ assigned its own security level, rather than forcing the entire applet to
+ run sandboxed.
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
+ (initializeResources)
+ each JAR in partially signed applets is assigned its own security
+ descriptor.
+ (signing) changed to three-valued enum. (checkNotAllSignedWithUser) new
+ method
+ * netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isJarSigned) new
+ method
+
2013-11-29 Jiri Vanek <jvanek at redhat.com>
Better validation of crytical dirs with proper message on startup
diff -r 9420fcc175c3 -r 4a9aa56d4541 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Mon Dec 02 16:04:32 2013 +0100
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Dec 03 11:43:04 2013 -0500
@@ -84,6 +84,8 @@
import net.sourceforge.jnlp.security.JNLPAppVerifier;
import net.sourceforge.jnlp.security.PluginAppVerifier;
import net.sourceforge.jnlp.security.SecurityDialogs;
+import net.sourceforge.jnlp.security.appletextendedsecurity.AppletSecurityLevel;
+import net.sourceforge.jnlp.security.appletextendedsecurity.AppletStartupSecuritySettings;
import net.sourceforge.jnlp.security.appletextendedsecurity.UnsignedAppletTrustConfirmation;
import net.sourceforge.jnlp.tools.JarCertVerifier;
import net.sourceforge.jnlp.util.JarFile;
@@ -115,6 +117,10 @@
DOWNLOAD_TO_CACHE, REMOVE_FROM_CACHE, CHECK_CACHE
}
+ public static enum SigningState {
+ FULL, PARTIAL, NONE
+ }
+
/** True if the application has a signed JNLP File */
private boolean isSignedJNLP = false;
@@ -167,7 +173,7 @@
/** the jar cert verifier tool to verify our jars */
private final JarCertVerifier jcv;
- private boolean signing = false;
+ private SigningState signing = SigningState.NONE;
/** ArrayList containing jar indexes for various jars available to this classloader */
private ArrayList<JarIndex> jarIndexes = new ArrayList<JarIndex>();
@@ -304,7 +310,7 @@
* determine security settings here, after trying to verify jars.
*/
if (file instanceof PluginBridge) {
- if (signing == true) {
+ if (getSigning()) {
this.security = new SecurityDesc(file,
SecurityDesc.ALL_PERMISSIONS,
codebase.getHost());
@@ -327,13 +333,13 @@
* Unsigned no <security> Sandbox
*
*/
- if (!file.getSecurity().getSecurityType().equals(SecurityDesc.SANDBOX_PERMISSIONS) && !signing) {
+ if (!file.getSecurity().getSecurityType().equals(SecurityDesc.SANDBOX_PERMISSIONS) && !getSigning()) {
if (jcv.allJarsSigned()) {
throw new LaunchException(file, null, R("LSFatal"), R("LCClient"), R("LSignedJNLPAppDifferentCerts"), R("LSignedJNLPAppDifferentCertsInfo"));
} else {
throw new LaunchException(file, null, R("LSFatal"), R("LCClient"), R("LUnsignedJarWithSecurity"), R("LUnsignedJarWithSecurityInfo"));
}
- } else if (signing == true) {
+ } else if (getSigning()) {
this.security = file.getSecurity();
} else {
this.security = new SecurityDesc(file,
@@ -390,7 +396,7 @@
JNLPClassLoader extLoader = uniqueKeyToLoader.get(uniqueKey);
if (extLoader != null && extLoader != loader) {
- if (loader.signing && !extLoader.signing)
+ if (loader.getSigning() && !extLoader.getSigning())
if (!SecurityDialogs.showNotAllSignedWarningDialog(file))
throw new LaunchException(file, null, R("LSFatal"), R("LCClient"), R("LSignedAppJarUsingUnsignedJar"), R("LSignedAppJarUsingUnsignedJarInfo"));
@@ -609,8 +615,8 @@
}
}
- if(allSigned)
- signing = true;
+ if (allSigned)
+ signing = SigningState.FULL;
//Check if main jar is found within extensions
foundMainJar = foundMainJar || hasMainInExtensions();
@@ -676,7 +682,7 @@
//Case when at least one jar has some signing
if (jcv.isFullySigned()) {
- signing = true;
+ signing = SigningState.FULL;
// Check for main class in the downloaded jars, and check/verify signed JNLP fill
checkForMain(initialJars);
@@ -692,9 +698,10 @@
boolean externalMainClass = (file.getLaunchInfo() != null && !foundMainJar
&& (available == null || available.size() == 0));
- if ((!jcv.allJarsSigned() || externalMainClass) &&
- !SecurityDialogs.showNotAllSignedWarningDialog(file))
- throw new LaunchException(file, null, R("LSFatal"), R("LCClient"), R("LSignedAppJarUsingUnsignedJar"), R("LSignedAppJarUsingUnsignedJarInfo"));
+ if (!jcv.allJarsSigned() || externalMainClass) {
+ checkNotAllSignedWithUser(file);
+ signing = SigningState.PARTIAL;
+ }
// If main jar was found, but a signed JNLP file was not located
if (!isSignedJNLP && foundMainJar)
@@ -713,60 +720,69 @@
// Otherwise this jar is simply unsigned -- make sure to ask
// for permission on certain actions
- signing = false;
+ signing = SigningState.NONE;
}
}
+ boolean containsSignedJar = false, containsUnsignedJar = false;
for (JARDesc jarDesc : file.getResources().getJARs()) {
+ File cachedFile;
+
try {
+ cachedFile = tracker.getCacheFile(jarDesc.getLocation());
+ } catch (IllegalResourceDescriptorException irde) {
+ //Caused by ignored resource being removed due to not being valid
+ OutputController.getLogger().log(OutputController.Level.ERROR_ALL, "JAR " + jarDesc.getLocation() + " is not a valid jar file. Continuing.");
+ continue;
+ }
- File cachedFile;
+ if (cachedFile == null) {
+ OutputController.getLogger().log(OutputController.Level.ERROR_ALL, "JAR " + jarDesc.getLocation() + " not found. Continuing.");
+ continue; // JAR not found. Keep going.
+ }
+
+ SecurityDesc jarSecurity = file.getSecurity();
+
+ if (file instanceof PluginBridge) {
+
+ URL codebase = null;
+
+ if (file.getCodeBase() != null) {
+ codebase = file.getCodeBase();
+ } else {
+ //Fixme: codebase should be the codebase of the Main Jar not
+ //the location. Although, it still works in the current state.
+ codebase = file.getResources().getMainJAR().getLocation();
+ }
try {
- cachedFile = tracker.getCacheFile(jarDesc.getLocation());
- } catch (IllegalResourceDescriptorException irde){
- //Caused by ignored resource being removed due to not being valid
- OutputController.getLogger().log(OutputController.Level.ERROR_ALL, "JAR " + jarDesc.getLocation() + " is not a valid jar file. Continuing.");
- continue;
+ if (JarCertVerifier.isJarSigned(jarDesc, new PluginAppVerifier(), tracker)) {
+ containsSignedJar = true;
+ jarSecurity = new SecurityDesc(file,
+ SecurityDesc.ALL_PERMISSIONS,
+ codebase.getHost());
+ } else {
+ containsUnsignedJar = true;
+ jarSecurity = new SecurityDesc(file,
+ SecurityDesc.SANDBOX_PERMISSIONS,
+ codebase.getHost());
+ }
+ } catch (Exception e) {
+ OutputController.getLogger().log(e);
+ jarSecurity = new SecurityDesc(file,
+ SecurityDesc.SANDBOX_PERMISSIONS,
+ codebase.getHost());
}
+ }
- if (cachedFile == null) {
- OutputController.getLogger().log(OutputController.Level.ERROR_ALL, "JAR " + jarDesc.getLocation() + " not found. Continuing.");
- continue; // JAR not found. Keep going.
- }
+ jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity);
+ }
- // TODO: Should be toURI().toURL()
- URL location = cachedFile.toURL();
- SecurityDesc jarSecurity = file.getSecurity();
+ if (containsSignedJar && containsUnsignedJar) {
+ checkNotAllSignedWithUser(file);
+ signing = SigningState.PARTIAL;
+ }
- if (file instanceof PluginBridge) {
-
- URL codebase = null;
-
- if (file.getCodeBase() != null) {
- codebase = file.getCodeBase();
- } else {
- //Fixme: codebase should be the codebase of the Main Jar not
- //the location. Although, it still works in the current state.
- codebase = file.getResources().getMainJAR().getLocation();
- }
-
- if (signing) {
- jarSecurity = new SecurityDesc(file,
- SecurityDesc.ALL_PERMISSIONS,
- codebase.getHost());
- } else {
- jarSecurity = new SecurityDesc(file,
- SecurityDesc.SANDBOX_PERMISSIONS,
- codebase.getHost());
- }
- }
-
- jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity);
- } catch (MalformedURLException mfe) {
- OutputController.getLogger().log(OutputController.Level.ERROR_ALL, mfe);
- }
- }
activateJars(initialJars);
}
@@ -1064,6 +1080,22 @@
}
/**
+ * Prompt the user to proceed on applets with mixed signing.
+ * @param file the JNLPFile or PluginBridge describing the applet/application to be launched
+ * @throws LaunchException if the user does not approve the prompt
+ */
+ private void checkNotAllSignedWithUser(JNLPFile file) throws LaunchException {
+ boolean promptUser = true;
+
+ if (JNLPRuntime.isTrustAll()) {
+ promptUser = false;
+ }
+
+ if (promptUser && !SecurityDialogs.showNotAllSignedWarningDialog(file)) {
+ throw new LaunchException(file, null, R("LSFatal"), R("LCClient"), R("LSignedAppJarUsingUnsignedJar"), R("LSignedAppJarUsingUnsignedJarInfo"));
+ }
+ }
+ /**
* Add applet's codebase URL. This allows compatibility with
* applets that load resources from their codebase instead of
* through JARs, but can slow down resource loading. Resources
@@ -1864,7 +1896,7 @@
}
public boolean getSigning() {
- return signing;
+ return signing == SigningState.FULL;
}
protected SecurityDesc getSecurity() {
diff -r 9420fcc175c3 -r 4a9aa56d4541 netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java Mon Dec 02 16:04:32 2013 +0100
+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java Tue Dec 03 11:43:04 2013 -0500
@@ -183,6 +183,14 @@
return fullySigned;
}
+ public static boolean isJarSigned(JARDesc jar, AppVerifier verifier, ResourceTracker tracker) throws Exception {
+ JarCertVerifier certVerifier = new JarCertVerifier(verifier);
+ List<JARDesc> singleJarList = new ArrayList<JARDesc>();
+ singleJarList.add(jar);
+ certVerifier.add(singleJarList, tracker);
+ return certVerifier.allJarsSigned();
+ }
+
/**
* Update the verifier to consider new jars when verifying.
*
diff -r 9420fcc175c3 -r 4a9aa56d4541 tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java Tue Dec 03 11:43:04 2013 -0500
@@ -0,0 +1,145 @@
+/* MixedSigningAppletSigned.java
+Copyright (C) 2013 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+ */
+
+package com.redhat.mixedsigning.signed;
+import java.applet.Applet;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.ArrayList;
+import java.util.List;
+
+/* See also simple/MixedSigningApplet */
+public class MixedSigningAppletSigned extends Applet {
+
+ @Override
+ public void init() {
+ System.out.println("MixedSigningAppletSigned applet started. testName: " + getParameter("testName"));
+ Method m = null;
+ try {
+ m = this.getClass().getMethod(getParameter("testName"));
+ final String result = (String) m.invoke(this);
+ System.out.println(result);
+ } catch (Exception e) {
+ e.printStackTrace();
+ } finally {
+ System.out.println("*** APPLET FINISHED ***");
+ }
+ }
+
+ public String testNonPrivilegedAction() {
+ return new HelperMethodCall<String>().method("help").call();
+ }
+
+ // Should succeed
+ public String testSignedReadProperties() {
+ return System.getProperty("user.home");
+ }
+
+ // Should result in AccessControlException
+ public String testUnsignedReadProperties() {
+ return new HelperMethodCall<String>().type(String.class).method("getProperty").arg("user.home").call();
+ }
+
+ // Should result in AccessControlException
+ public String testSignedExportPropertiesToUnsigned() {
+ return new HelperMethodCall<String>().type(String.class).method("getPropertyFromSignedJar").arg("user.home").call();
+ }
+
+ // Should result in AccessControlException
+ public String testUnsignedAttacksSigned() {
+ return new HelperMethodCall<String>().method("attack").call();
+ }
+
+ // Should result in InvocationTargetException (due to AccessControlException)
+ public String testUnsignedReflectionAttack() {
+ return new HelperMethodCall<String>().method("reflectiveAttack").call();
+ }
+
+ public String calledByReflection() {
+ return System.getProperty("user.home");
+ }
+
+ public static String getProperty(String prop) {
+ return System.getProperty(prop);
+ }
+
+ private static class HelperMethodCall<T> {
+
+ private String methodName;
+ private final List<Class<?>> methodSignature;
+ private final List<String> args;
+
+ public HelperMethodCall() {
+ methodSignature = new ArrayList<Class<?>>();
+ args = new ArrayList<String>();
+ }
+
+ public HelperMethodCall<T> method(String methodName) {
+ this.methodName = methodName;
+ return this;
+ }
+
+ public HelperMethodCall<T> type(Class<?> methodSignature) {
+ this.methodSignature.add(methodSignature);
+ return this;
+ }
+
+ public HelperMethodCall<T> arg(String arg) {
+ this.args.add(arg);
+ return this;
+ }
+
+ public T call() {
+ try {
+ Class<?> helper = Class.forName("com.redhat.mixedsigning.helper.MixedSigningAppletHelper");
+ Method m;
+ if (this.methodSignature == null) {
+ m = helper.getMethod(this.methodName);
+ } else {
+ m = helper.getMethod(this.methodName, this.methodSignature.toArray(new Class<?>[methodSignature.size()]));
+ }
+ Object[] params = args.toArray(new String[args.size()]);
+ @SuppressWarnings("unchecked")
+ T result = (T) m.invoke(null, params);
+ return result;
+ } catch (Exception e) {
+ e.printStackTrace();
+ return null;
+ }
+ }
+ }
+}
diff -r 9420fcc175c3 -r 4a9aa56d4541 tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java Tue Dec 03 11:43:04 2013 -0500
@@ -0,0 +1,159 @@
+/* MixedSigningAppletSignedTests.java
+Copyright (C) 2013 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+ */
+
+import net.sourceforge.jnlp.ProcessResult;
+import net.sourceforge.jnlp.ServerAccess.AutoClose;
+import net.sourceforge.jnlp.annotations.KnownToFail;
More information about the distro-pkg-dev
mailing list