[icedtea-web] (PR1513) Signed JAR with external main-class

Andrew Azores aazores at redhat.com
Fri Oct 18 11:02:34 PDT 2013 

Hi,

The applet in the PR1513 report fails to launch due to the following 
check in JNLPClassLoader#initializeResources():

// If jar with main class was not found and there are no more
// available jars, throw a LaunchException
if (file.getLaunchInfo() != null) {
     if (!foundMainJar // && (available == null || available.size() == 0))
         throw new LaunchException(file, null, R("LSFatal"),
                 R("LCClient"), R("LCantDetermineMainClass"),
                 R("LCantDetermineMainClassInfo"));
}

This occurs within a block checking for JarCertVerifier#isFullySigned(). 
The effect is that we require fully-signed applications to only have 
their main-class within one of their JARs. In this particular applet's 
case, for whatever reason, the main class is a separate .class file 
elsewhere in the codebase, which I assume makes some use of the JAR. 
Perhaps the JAR is provided as a library of sorts and universities 
implement their own main-class with it for this student information 
portal system.

Anyway, making IcedTea-Web support this scenario is as simple as 
removing the "throw new LaunchException" noted above. In cases where the 
applet is fully signed and the main-class is not found at all, this 
simply makes the applet launch fail a bit later on. Otherwise some 
reworking of the classloader will be required (searching for external 
main-class *before* the work of initializeResource is done?! Otherwise, 
somehow indicating this condition to be dealt with later on rather than 
letting the applet launch fail).

What I'm wondering however, is if this is actually safe. How do we 
really want to be handling this situation? The JarCertVerified reports 
"fully signed", but then we are going to go ahead and execute an 
arbitrary unverified class file from outside the JAR(s). To me this 
seems a little bit questionable - definitely we shouldn't just fail to 
launch altogether, but what should be done about the permissions for 
this applet? Right now with the exception removed, the user is still 
prompted with a dialog claiming that the applet's signature has been 
validated by a trusted source, but can we really say that now?

Thanks,

-- 
Andrew A

More information about the distro-pkg-dev mailing list