/hg/icedtea-web: 3 new changesets
omajid at icedtea.classpath.org
omajid at icedtea.classpath.org
Wed May 14 19:13:53 UTC 2014
changeset d2bebf24c3ef in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=d2bebf24c3ef
author: Omair Majid <omajid at redhat.com>
date: Wed May 14 15:11:39 2014 -0400
More javadoc fixes for Java 8
Remove incorrect @throws and self-enclosing elements from javadocs.
2014-05-14 Omair Majid <omajid at redhat.com>
* netx/net/sourceforge/jnlp/JNLPFile.java
(JNLPFile(InputStream,ParserSettings))
(JNLPFile(InputStream,URL,ParserSettings)): Remove incorrect @throws
IOException in javadoc.
* netx/net/sourceforge/jnlp/SecurityDesc.java
(fromHtmlString): Fix param name in javadoc.
* netx/net/sourceforge/jnlp/util/FileUtils.java
(showCouldNotOpenDialog): Remove incorrect @param filePath from javadoc.
* netx/net/sourceforge/nanoxml/XMLParseException.java,
* netx/net/sourceforge/nanoxml/XMLElement.java: Replace <br/> with <p>.
changeset e3981eb10285 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=e3981eb10285
author: Omair Majid <omajid at redhat.com>
date: Wed May 14 15:11:40 2014 -0400
Make 'make check' work under OpenJDK 8
Use reflection to access a class that was moved from one package to
another in OpenJDK 8.
+2014-05-14 Omair Majid <omajid at redhat.com>
+
+ * tests/test-extensions/net/sourceforge/jnlp/tools/CodeSignerCreator.java
+ (KeyPair): New class.
+ (createCert): Use KeyPair.
changeset a008226315c1 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=a008226315c1
author: Omair Majid <omajid at redhat.com>
date: Wed May 14 15:11:45 2014 -0400
Clean up comments in JarFile
Update comments to indicate purpose of the class: preventing GIFAR
attacks. Remove references to JDK6 that were at best secondary to
the purpose of the class.
Rename ZIP_LOCAL_FILE_HEADER_SIGNATURE to indicate that it is the
header of a zip entry.
Also fix some indentation issues.
2014-05-14 Omair Majid <omajid at redhat.com>
* netx/net/sourceforge/jnlp/util/JarFile.java: Rename
ZIP_LOCAL_FILE_HEADER_SIGNATURE to ZIP_ENTRY_HEADER_SIGNATURE. Fix
comments.
diffstat:
ChangeLog | 25 ++
netx/net/sourceforge/jnlp/JNLPFile.java | 2 -
netx/net/sourceforge/jnlp/SecurityDesc.java | 2 +-
netx/net/sourceforge/jnlp/util/FileUtils.java | 1 -
netx/net/sourceforge/jnlp/util/JarFile.java | 84 ++++-----
netx/net/sourceforge/nanoxml/XMLElement.java | 32 ++-
netx/net/sourceforge/nanoxml/XMLParseException.java | 3 +-
tests/test-extensions/net/sourceforge/jnlp/tools/CodeSignerCreator.java | 84 +++++++++-
8 files changed, 161 insertions(+), 72 deletions(-)
diffs (458 lines):
diff -r d96760e31283 -r a008226315c1 ChangeLog
--- a/ChangeLog Wed May 14 15:04:16 2014 -0400
+++ b/ChangeLog Wed May 14 15:11:45 2014 -0400
@@ -1,3 +1,28 @@
+2014-05-14 Omair Majid <omajid at redhat.com>
+
+ * netx/net/sourceforge/jnlp/util/JarFile.java: Rename
+ ZIP_LOCAL_FILE_HEADER_SIGNATURE to ZIP_ENTRY_HEADER_SIGNATURE. Fix
+ comments.
+
+2014-05-14 Omair Majid <omajid at redhat.com>
+
+ * tests/test-extensions/net/sourceforge/jnlp/tools/CodeSignerCreator.java
+ (KeyPair): New class.
+ (createCert): Use KeyPair.
+
+2014-05-14 Omair Majid <omajid at redhat.com>
+
+ * netx/net/sourceforge/jnlp/JNLPFile.java
+ (JNLPFile(InputStream,ParserSettings))
+ (JNLPFile(InputStream,URL,ParserSettings)): Remove incorrect @throws
+ IOException in javadoc.
+ * netx/net/sourceforge/jnlp/SecurityDesc.java
+ (fromHtmlString): Fix param name in javadoc.
+ * netx/net/sourceforge/jnlp/util/FileUtils.java
+ (showCouldNotOpenDialog): Remove incorrect @param filePath from javadoc.
+ * netx/net/sourceforge/nanoxml/XMLParseException.java,
+ * netx/net/sourceforge/nanoxml/XMLElement.java: Replace <br/> with <p>.
+
2014-05-14 Andrew Azores <aazores at redhat.com>
* netx/net/sourceforge/jnlp/cache/Resource.java: (Status) new enum
diff -r d96760e31283 -r a008226315c1 netx/net/sourceforge/jnlp/JNLPFile.java
--- a/netx/net/sourceforge/jnlp/JNLPFile.java Wed May 14 15:04:16 2014 -0400
+++ b/netx/net/sourceforge/jnlp/JNLPFile.java Wed May 14 15:11:45 2014 -0400
@@ -267,7 +267,6 @@
/**
* Create a JNLPFile from an input stream.
*
- * @throws IOException if an IO exception occurred
* @throws ParseException if the JNLP file was invalid
*/
public JNLPFile(InputStream input, ParserSettings settings) throws ParseException {
@@ -281,7 +280,6 @@
* @param input input stream of JNLP file.
* @param codebase codebase to use if not specified in JNLP file..
* @param settings the {@link ParserSettings} to use when parsing
- * @throws IOException if an IO exception occurred
* @throws ParseException if the JNLP file was invalid
*/
public JNLPFile(InputStream input, URL codebase, ParserSettings settings) throws ParseException {
diff -r d96760e31283 -r a008226315c1 netx/net/sourceforge/jnlp/SecurityDesc.java
--- a/netx/net/sourceforge/jnlp/SecurityDesc.java Wed May 14 15:04:16 2014 -0400
+++ b/netx/net/sourceforge/jnlp/SecurityDesc.java Wed May 14 15:11:45 2014 -0400
@@ -90,7 +90,7 @@
* The HTML permission level corresponding to the given String. If null is given, null comes
* back. If there is no permission level that can be granted in HTML matching the given String,
* null is also returned.
- * @param jnlpString the JNLP permission String
+ * @param htmlString the JNLP permission String
* @return the matching RequestedPermissionLevel
*/
public RequestedPermissionLevel fromHtmlString(final String htmlString) {
diff -r d96760e31283 -r a008226315c1 netx/net/sourceforge/jnlp/util/FileUtils.java
--- a/netx/net/sourceforge/jnlp/util/FileUtils.java Wed May 14 15:04:16 2014 -0400
+++ b/netx/net/sourceforge/jnlp/util/FileUtils.java Wed May 14 15:11:45 2014 -0400
@@ -394,7 +394,6 @@
/**
* Show a dialog informing the user that the file could not be opened
* @param frame a {@link JFrame} to act as parent to this dialog
- * @param filePath a {@link String} representing the path to the file we failed to open
* @param message a {@link String} giving the specific reason the file could not be opened
*/
public static void showCouldNotOpenDialog(final Component frame, final String message) {
diff -r d96760e31283 -r a008226315c1 netx/net/sourceforge/jnlp/util/JarFile.java
--- a/netx/net/sourceforge/jnlp/util/JarFile.java Wed May 14 15:04:16 2014 -0400
+++ b/netx/net/sourceforge/jnlp/util/JarFile.java Wed May 14 15:11:45 2014 -0400
@@ -43,94 +43,82 @@
import java.io.InputStream;
import net.sourceforge.jnlp.runtime.JNLPRuntime;
-//in jdk6 java.util.jar.JarFile is not Closeable - fixing
-//overwritening class can add duplicate occurence of interface so this should be perfectly safe
-public class JarFile extends java.util.jar.JarFile implements Closeable{
+/**
+ * A wrapper over {@link java.util.jar.JarFile} that verifies zip headers to
+ * protect against GIFAR attacks.
+ *
+ * @see <a href="http://en.wikipedia.org/wiki/Gifar">Gifar</a>
+ */
+public class JarFile extends java.util.jar.JarFile implements Closeable {
public JarFile(String name) throws IOException {
- super(name);
- verifyZipHeader(new File(name));
+ super(name);
+ verifyZipHeader(new File(name));
}
- /**
- */
public JarFile(String name, boolean verify) throws IOException {
super(name, verify);
verifyZipHeader(new File(name));
}
- /**
- */
public JarFile(File file) throws IOException {
super(file);
verifyZipHeader(file);
}
- /**
- */
public JarFile(File file, boolean verify) throws IOException {
super(file, verify);
verifyZipHeader(file);
}
- /*
- */
public JarFile(File file, boolean verify, int mode) throws IOException {
super(file, verify, mode);
- verifyZipHeader(file);
+ verifyZipHeader(file);
}
-
-
-
-
+
/**
- * According to specification -
- * http://www.pkware.com/documents/casestudies/APPNOTE.TXT or just google
- * around zip header all entries in zip-compressed must start with well
- * known "PK" which is defined as hexa x50 x4b x03 x04, which in decimal are
- * 80 75 3 4.
- *
+ * The ZIP specification requires that the zip header for all entries in a
+ * zip-compressed archive must start with a well known "PK" which is
+ * defined as hex x50 x4b x03 x04.
+ * <p>
* Note - this is not file-header, it is item-header.
- *
- * Actually most of compressing formats have some n-bytes header se eg:
+ * <p>
+ * Actually most of compressing formats have some n-bytes headers. Eg:
* http://www.gzip.org/zlib/rfc-gzip.html#header-trailer for ID1 and ID2 so
* in case that some differently compressed jars will come to play, this is
- * the palce where to fix it.
+ * the place where to fix it.
*
+ * @see <a href="http://www.pkware.com/documents/casestudies/APPNOTE.TXT">ZIP Specification</a>
*/
- private static final byte[] ZIP_LOCAL_FILE_HEADER_SIGNATURE = new byte[]{80, 75, 3, 4};
+ private static final byte[] ZIP_ENTRY_HEADER_SIGNATURE = new byte[] {0x50, 0x4b, 0x03, 0x04};
/**
- * This method is checking first four bytes of jar-file against
- * ZIP_LOCAL_FILE_HEADER_SIGNATURE
- *
+ * Verify the header for the zip entry.
+ * <p>
* Although zip specification allows to skip all corrupted entries, it is
- * not safe for jars. If first four bytes of file are not zip
- * ZIP_LOCAL_FILE_HEADER_SIGNATURE then exception is thrown
- *
- * As noted, ZIP_LOCAL_FILE_HEADER_SIGNATURE is not ile-header, but is item-header.
- * Possible attack is using the fact that entries without header are considered
- * corrupted and so can be ignoered. However, for other they can have some meaning.
- *
- * So for our purposes we must insists on first record to be valid.
- *
- * @param file
- * @throws IOException
- * @throws InvalidJarHeaderException
+ * not safe for jars since it allows a different format to fake itself as
+ * a Jar.
*/
- public static void verifyZipHeader(File file) throws IOException {
+ private void verifyZipHeader(File file) throws IOException {
if (!JNLPRuntime.isIgnoreHeaders()) {
InputStream s = new FileInputStream(file);
+
+ /*
+ * Theoretically, a valid ZIP file can begin with anything. We
+ * ensure it begins with a valid entry header to confirm it only
+ * contains zip entries.
+ */
+
try {
- byte[] buffer = new byte[ZIP_LOCAL_FILE_HEADER_SIGNATURE.length];
+ byte[] buffer = new byte[ZIP_ENTRY_HEADER_SIGNATURE.length];
/*
* for case that new byte[] will accidently initialize same
* sequence as zip header and during the read the buffer will not be filled
- */
+ */
for (int i = 0; i < buffer.length; i++) {
buffer[i] = 0;
}
- int toRead = ZIP_LOCAL_FILE_HEADER_SIGNATURE.length;
+ int toRead = ZIP_ENTRY_HEADER_SIGNATURE.length;
int readSoFar = 0;
int n = 0;
/*
@@ -144,7 +132,7 @@
}
}
for (int i = 0; i < buffer.length; i++) {
- if (buffer[i] != ZIP_LOCAL_FILE_HEADER_SIGNATURE[i]) {
+ if (buffer[i] != ZIP_ENTRY_HEADER_SIGNATURE[i]) {
throw new InvalidJarHeaderException("Jar " + file.getName() + " do not heave valid header. You can skip this check by -Xignoreheaders");
}
}
diff -r d96760e31283 -r a008226315c1 netx/net/sourceforge/nanoxml/XMLElement.java
--- a/netx/net/sourceforge/nanoxml/XMLElement.java Wed May 14 15:04:16 2014 -0400
+++ b/netx/net/sourceforge/nanoxml/XMLElement.java Wed May 14 15:11:45 2014 -0400
@@ -39,7 +39,7 @@
/**
* XMLElement is a representation of an XML object. The object is able to parse
* XML code.
- * <p><dl>
+ * <dl>
* <dt><b>Parsing XML Data</b></dt>
* <dd>
* You can parse XML data using the following code:
@@ -83,7 +83,6 @@
* {@link #createAnotherElement() createAnotherElement}
* which has to return a new copy of the receiver.
* </dd></dl>
- * </p>
*
* @see net.sourceforge.nanoxml.XMLParseException
*
@@ -178,7 +177,8 @@
private boolean ignoreWhitespace;
/**
- * Character read too much.<br/>
+ * Character read too much.
+ * <p>
* This character provides push-back functionality to the input reader
* without having to use a PushbackReader.
* If there is no such character, this field is {@code '\0'}.
@@ -210,7 +210,8 @@
private int parserLineNr;
/**
- * Creates and initializes a new XML element.<br/>
+ * Creates and initializes a new XML element.
+ * <p>
* Calling the construction is equivalent to:
* <ul><li>{@code new XMLElement(new Hashtable(), false, true)}</li></ul>
*
@@ -400,7 +401,8 @@
}
/**
- * Returns an attribute of the element.<br/>
+ * Returns an attribute of the element.
+ * <p>
* If the attribute doesn't exist, {@code null} is returned.
*
* @param name The name of the attribute.
@@ -535,7 +537,7 @@
* The new name.
*
* <dl><dt><b>Preconditions:</b></dt><dd>
- * <ul><li{@code name != null}</li>
+ * <ul><li>{@code name != null}</li>
* <li>{@code name} is a valid XML identifier</li>
* </ul></dd></dl>
*/
@@ -597,7 +599,8 @@
}
/**
- * This method scans an identifier from the current reader.<br/>
+ * This method scans an identifier from the current reader.
+ * <p>
* The scanned whitespace is appended to {@code result}.
*
* @return the next character following the whitespace.
@@ -625,7 +628,8 @@
}
/**
- * This method scans a delimited string from the current reader.<br/>
+ * This method scans a delimited string from the current reader.
+ * <p>
* The scanned string without delimiters is appended to {@code string}.
*
* <dl><dt><b>Preconditions:</b></dt><dd>
@@ -653,8 +657,10 @@
/**
* Scans a {@code #PCDATA} element. CDATA sections and entities are
- * resolved.<br/>
- * The next < char is skipped.<br/>
+ * resolved.
+ * <p>
+ * The next < char is skipped.
+ * <p>
* The scanned data is appended to {@code data}.
*
* <dl><dt><b>Preconditions:</b></dt><dd>
@@ -831,7 +837,8 @@
}
/**
- * Scans the data for literal text.<br/>
+ * Scans the data for literal text.
+ * <p>
* Scanning stops when a character does not match or after the complete
* text has been checked, whichever comes first.
*
@@ -985,7 +992,8 @@
}
/**
- * Resolves an entity. The name of the entity is read from the reader.<br/>
+ * Resolves an entity. The name of the entity is read from the reader.
+ * <p>
* The value of the entity is appended to {@code buf}.
*
* @param buf Where to put the entity value.
diff -r d96760e31283 -r a008226315c1 netx/net/sourceforge/nanoxml/XMLParseException.java
--- a/netx/net/sourceforge/nanoxml/XMLParseException.java Wed May 14 15:04:16 2014 -0400
+++ b/netx/net/sourceforge/nanoxml/XMLParseException.java Wed May 14 15:11:45 2014 -0400
@@ -32,7 +32,8 @@
* An XMLParseException is thrown when an error occures while parsing an XML
* string.
* <p>
- * $Revision: 1.1 $<br/>
+ * $Revision: 1.1 $</p>
+ * <p>
* $Date: 2002/08/03 04:05:32 $</p>
*
* @see net.sourceforge.nanoxml.XMLElement
diff -r d96760e31283 -r a008226315c1 tests/test-extensions/net/sourceforge/jnlp/tools/CodeSignerCreator.java
--- a/tests/test-extensions/net/sourceforge/jnlp/tools/CodeSignerCreator.java Wed May 14 15:04:16 2014 -0400
+++ b/tests/test-extensions/net/sourceforge/jnlp/tools/CodeSignerCreator.java Wed May 14 15:11:45 2014 -0400
@@ -25,17 +25,24 @@
package net.sourceforge.jnlp.tools;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import java.security.CodeSigner;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
import java.security.PrivateKey;
+import java.security.SignatureException;
import java.security.Timestamp;
import java.security.cert.CertPath;
+import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import sun.security.x509.AlgorithmId;
-import sun.security.x509.CertAndKeyGen;
import sun.security.x509.CertificateAlgorithmId;
import sun.security.x509.CertificateIssuerName;
import sun.security.x509.CertificateSerialNumber;
@@ -72,13 +79,10 @@
// KeyTool#doGenKeyPair
X500Name x500Name = new X500Name(dname);
- CertAndKeyGen keypair = new CertAndKeyGen(keyAlgName, sigAlgName);
+ KeyPair keyPair = new KeyPair(keyAlgName, sigAlgName, keysize);
+ PrivateKey privKey = keyPair.getPrivateKey();
- keypair.generate(keysize);
- PrivateKey privKey = keypair.getPrivateKey();
-
- X509Certificate oldCert = keypair.getSelfCertificate(x500Name,
- notBefore, validity * 24L * 60L * 60L);
+ X509Certificate oldCert = keyPair.getSelfCertificate(x500Name, notBefore, validity);
// KeyTool#doSelfCert
byte[] encoded = oldCert.getEncoded();
@@ -142,4 +146,70 @@
Timestamp certTimestamp = new Timestamp(jarEntryCert.getNotBefore(), certPath);
return new CodeSigner(certPath, certTimestamp);
}
+
+ /**
+ * A wrapper over JDK-internal CertAndKeyGen Class.
+ * <p>
+ * This is an internal class whose package changed between OpenJDK 7 and 8.
+ * Use reflection to access the right thing.
+ */
+ public static class KeyPair {
+
+ private /* CertAndKeyGen */ Object keyPair;
+
+ public KeyPair(String keyAlgName, String sigAlgName, int keySize) throws NoSuchAlgorithmException, InvalidKeyException {
+ try {
+ // keyPair = new CertAndKeyGen(keyAlgName, sigAlgName);
+ Class<?> certAndKeyGenClass = Class.forName(getCertAndKeyGenClass());
+ Constructor<?> constructor = certAndKeyGenClass.getDeclaredConstructor(String.class, String.class);
+ keyPair = constructor.newInstance(keyAlgName, sigAlgName);
+
+ // keyPair.generate(keySize);
+ Method generate = certAndKeyGenClass.getMethod("generate", int.class);
+ generate.invoke(keyPair, keySize);
+ } catch (ClassNotFoundException | NoSuchMethodException | SecurityException | InstantiationException |
+ IllegalAccessException | IllegalArgumentException | InvocationTargetException certAndKeyGenClassError) {
+ throw new AssertionError("Unable to use CertAndKeyGen class", certAndKeyGenClassError);
+ }
+ }
+
+ public PrivateKey getPrivateKey() {
+ try {
+ // return keyPair.getPrivateKey();
+ Class<?> klass = keyPair.getClass();
+ Method method = klass.getMethod("getPrivateKey");
+ return (PrivateKey) method.invoke(keyPair);
+ } catch (NoSuchMethodException | IllegalAccessException | IllegalArgumentException | InvocationTargetException error) {
+ throw new AssertionError(error);
+ }
+ }
+
+ public X509Certificate getSelfCertificate(X500Name name, Date notBefore, long validityInDays)
+ throws InvalidKeyException, CertificateException, SignatureException,
+ NoSuchAlgorithmException, NoSuchProviderException {
+ try {
+ // return keyPair.getSelfCertificate(name, notBefore, validityInDays * 24L * 60L * 60L);
+ Class<?> klass = keyPair.getClass();
+ Method method = klass.getMethod("getSelfCertificate", X500Name.class, Date.class, long.class);
+ return (X509Certificate) method.invoke(keyPair, name, notBefore, validityInDays * 24L * 60L * 60L);
+ } catch (InvocationTargetException ite) {
+ throw new RuntimeException(ite.getCause());
+ } catch (NoSuchMethodException | IllegalAccessException | IllegalArgumentException error) {
+ throw new AssertionError(error);
+ }
+ }
+
+ private String getCertAndKeyGenClass() {
+ String javaVersion = System.getProperty("java.version");
+ String className = null;
+ if (javaVersion.startsWith("1.7")) {
+ className = "sun.security.x509.CertAndKeyGen";
+ } else if (javaVersion.startsWith("1.8")) {
+ className = "sun.security.tools.keytool.CertAndKeyGen";
+ } else {
+ throw new AssertionError("Unrecognized Java Version");
+ }
+ return className;
+ }
+ }
}
More information about the distro-pkg-dev
mailing list