/hg/icedtea-web: Fix PR1049: Empty jars are handled correctly du...
smohammad at icedtea.classpath.org
smohammad at icedtea.classpath.org
Wed Aug 1 13:51:04 PDT 2012
changeset b04d8fd2c51a in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=b04d8fd2c51a
author: Saad Mohammad <smohammad at redhat.com>
date: Wed Aug 01 16:50:17 2012 -0400
Fix PR1049: Empty jars are handled correctly during signature validation
diffstat:
ChangeLog | 26 +++
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 2 +-
netx/net/sourceforge/jnlp/tools/JarCertVerifier.java | 15 ++
tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarExtension.jnlp | 58 +++++++
tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarInExtensionJnlp.jnlp | 64 ++++++++
tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarInLaunchingJnlp.jnlp | 64 ++++++++
tests/reproducers/signed/EmptySignedJar/srcs/META-INF/empty_file | 1 +
tests/reproducers/signed/EmptySignedJar/testcases/EmptySignedJarTest.java | 73 ++++++++++
tests/reproducers/signed/SignedJarResource/resources/SignedJarResource.jnlp | 62 ++++++++
9 files changed, 364 insertions(+), 1 deletions(-)
diffs (437 lines):
diff -r 08e677a02458 -r b04d8fd2c51a ChangeLog
--- a/ChangeLog Wed Aug 01 10:12:55 2012 -0400
+++ b/ChangeLog Wed Aug 01 16:50:17 2012 -0400
@@ -1,3 +1,29 @@
+2012-08-01 Saad Mohammad <smohammad at redhat.com>
+
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java (initializeResources):
+ Removes the display of the security dialog for loaders with only empty jars.
+ * netx/net/sourceforge/jnlp/tools/JarCertVerifier.java:
+ (JarCertVerifier): Tracks whether all jars verified are empty jars.
+ (hasAllEmptyJars): Returns true if all jars verified are empty jars.
+ (verifyJars): Checks whether signable entries and certificates are found and
+ decides if all jars are empty jars.
+ (isFullySignedByASingleCert): If all jars are emptyJars, returns true.
+ * tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarInLaunchingJnlp.jnlp:
+ Launching jnlp with the resource of an empty jar and an extension jnlp
+ containing the main jar.
+ * tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarInExtensionJnlp.jnlp:
+ Launching jnlp with the resource of the main jar and an extension jnlp
+ containing the empty jar.
+ * tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarExtension.jnlp:
+ Extension jnlp containing only an empty jar.
+ * tests/reproducers/signed/EmptySignedJar/srcs/META-INF/empty_file:
+ Empty file within META-INF; required to create EmptySignedJar.jar
+ by the test engine.
+ * tests/reproducers/signed/EmptySignedJar/testcases/EmptySignedJarTest.java:
+ Testcase that tests jnlp files with empty jars.
+ * tests/reproducers/signed/SignedJarResource/resources/SignedJarResource.jnlp:
+ Launches SignedJarResource class directly.
+
2012-07-31 Danesh Dadachanji <ddadacha at redhat.com>
Minor fix to overly restrictive unit test.
diff -r 08e677a02458 -r b04d8fd2c51a netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Aug 01 10:12:55 2012 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Aug 01 16:50:17 2012 -0400
@@ -650,7 +650,7 @@
file.setSignedJNLPAsMissing();
//user does not trust this publisher
- if (!jcv.getAlreadyTrustPublisher()) {
+ if (!jcv.getAlreadyTrustPublisher() && !jcv.isTriviallySigned()) {
checkTrustWithUser(jcv);
} else {
/**
diff -r 08e677a02458 -r b04d8fd2c51a netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java Wed Aug 01 10:12:55 2012 -0400
+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java Wed Aug 01 16:50:17 2012 -0400
@@ -103,6 +103,16 @@
private int totalSignableEntries = 0;
+ /** Whether a signable entry was found within jars (jars with content more than just META-INF/*) */
+ private boolean triviallySigned = false;
+
+ /**
+ * Return true if there are signable entries in the jars, otherwise false
+ */
+ public boolean isTriviallySigned() {
+ return triviallySigned;
+ }
+
/* (non-Javadoc)
* @see net.sourceforge.jnlp.tools.CertVerifier2#getAlreadyTrustPublisher()
*/
@@ -167,6 +177,9 @@
*/
public boolean isFullySignedByASingleCert() {
+ if (triviallySigned)
+ return true;
+
for (CertPath cPath : certs.keySet()) {
// If this cert has signed everything, return true
if (certs.get(cPath) == totalSignableEntries)
@@ -197,6 +210,7 @@
String localFile = jarFile.getAbsolutePath();
verifyResult result = verifyJar(localFile);
+ triviallySigned = false;
if (result == verifyResult.UNSIGNED) {
unverifiedJars.add(localFile);
@@ -205,6 +219,7 @@
verifiedJars.add(localFile);
} else if (result == verifyResult.SIGNED_OK) {
verifiedJars.add(localFile);
+ triviallySigned = totalSignableEntries <= 0 && certs.size() <= 0;
}
} catch (Exception e) {
// We may catch exceptions from using verifyJar()
diff -r 08e677a02458 -r b04d8fd2c51a tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarExtension.jnlp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarExtension.jnlp Wed Aug 01 16:50:17 2012 -0400
@@ -0,0 +1,58 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+***********************************************************************
+This file is used as an extension jnlp for the launching jnlp's resource - contains
+only an empty jar
+***********************************************************************
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="EmptySignedJarExtension.jnlp" codebase=".">
+ <information>
+ <title>EmptySignedJarExtension</title>
+ <vendor>IcedTea</vendor>
+ <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+ <description>EmptySignedJarExtension</description>
+ <offline/>
+ </information>
+
+ <resources>
+ <j2se version="1.6+"/>
+ <jar href="EmptySignedJar.jar"/>
+ </resources>
+
+ <component-desc />
+</jnlp>
diff -r 08e677a02458 -r b04d8fd2c51a tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarInExtensionJnlp.jnlp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarInExtensionJnlp.jnlp Wed Aug 01 16:50:17 2012 -0400
@@ -0,0 +1,64 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+***********************************************************************
+This file contains the main jar and an extension jnlp for its resources - the extension jnlp
+contains a empty jar
+***********************************************************************
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="EmptySignedJarInExtensionJnlp.jnlp" codebase=".">
+ <information>
+ <title>EmptySignedJar</title>
+ <vendor>IcedTea</vendor>
+ <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+ <description>EmptySignedJar</description>
+ <offline/>
+ </information>
+
+ <security>
+ <all-permissions/>
+ </security>
+
+ <resources>
+ <j2se version="1.6+"/>
+ <jar href="SignedJarResource.jar"/>
+ <extension name="EmptySignedJarExtension" href="./EmptySignedJarExtension.jnlp"/>
+ </resources>
+
+ <application-desc main-class="SignedJarResource">
+ </application-desc>
+</jnlp>
diff -r 08e677a02458 -r b04d8fd2c51a tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarInLaunchingJnlp.jnlp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/signed/EmptySignedJar/resources/EmptySignedJarInLaunchingJnlp.jnlp Wed Aug 01 16:50:17 2012 -0400
@@ -0,0 +1,64 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+***********************************************************************
+This file contains an empty jar and an extension jnlp for its resources - the extension jnlp
+contains the main jar
+***********************************************************************
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="EmptySignedJarInLaunchingJnlp.jnlp" codebase=".">
+ <information>
+ <title>EmptySignedJar</title>
+ <vendor>IcedTea</vendor>
+ <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+ <description>EmptySignedJar</description>
+ <offline/>
+ </information>
+
+ <security>
+ <all-permissions/>
+ </security>
+
+ <resources>
+ <j2se version="1.6+"/>
+ <jar href="EmptySignedJar.jar"/>
+ <extension name="SignedJarExtension" href="./SignedJarExtension.jnlp"/>
+ </resources>
+
+ <application-desc main-class="SignedJarResource">
+ </application-desc>
+</jnlp>
diff -r 08e677a02458 -r b04d8fd2c51a tests/reproducers/signed/EmptySignedJar/srcs/META-INF/empty_file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/signed/EmptySignedJar/srcs/META-INF/empty_file Wed Aug 01 16:50:17 2012 -0400
@@ -0,0 +1,1 @@
+This is an empty file.
diff -r 08e677a02458 -r b04d8fd2c51a tests/reproducers/signed/EmptySignedJar/testcases/EmptySignedJarTest.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/signed/EmptySignedJar/testcases/EmptySignedJarTest.java Wed Aug 01 16:50:17 2012 -0400
@@ -0,0 +1,73 @@
+/* EmptySignedJar.java
+Copyright (C) 2012 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+ */
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import net.sourceforge.jnlp.ServerAccess;
+import net.sourceforge.jnlp.annotations.Bug;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class EmptySignedJarTest {
+
+ private static ServerAccess server = new ServerAccess();
+ private final List<String> l = Collections.unmodifiableList(Arrays.asList(new String[] { "-Xtrustall" }));
+ private final String jarOutput = "Running SignedJarResource..";
+
+ @Test
+ public void checkingForRequiredResources() throws Exception {
+ String s = "Running SignedJarResource..";
+ ServerAccess.ProcessResult pr = server.executeJavawsHeadless(l, "/SignedJarResource.jnlp");
+ Assert.assertTrue("Could not locate SignedJarResource class within SignedJarResource jar", pr.stdout.contains(s));
+ }
+
+ @Bug(id = "PR1049")
+ @Test
+ public void usingExtensionWithEmptyJar() throws Exception {
+ ServerAccess.ProcessResult pr = server.executeJavawsHeadless(l, "/EmptySignedJarInExtensionJnlp.jnlp");
+ Assert.assertTrue("Stdout should contain " + jarOutput + " but did not", pr.stdout.contains(jarOutput));
+ }
+
+ @Bug(id = "PR1049")
+ @Test
+ public void usingLauncherWithEmptyJar() throws Exception {
+ ServerAccess.ProcessResult pr = server.executeJavawsHeadless(l, "/EmptySignedJarInLaunchingJnlp.jnlp");
+ Assert.assertTrue("Stdout should contain " + jarOutput + " but did not", pr.stdout.contains(jarOutput));
+ }
+}
diff -r 08e677a02458 -r b04d8fd2c51a tests/reproducers/signed/SignedJarResource/resources/SignedJarResource.jnlp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/signed/SignedJarResource/resources/SignedJarResource.jnlp Wed Aug 01 16:50:17 2012 -0400
@@ -0,0 +1,62 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+***********************************************************************
+Launches SignedJarResource directly
+***********************************************************************
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="SignedJarResource.jnlp" codebase=".">
+ <information>
+ <title>SignedJarResource</title>
+ <vendor>IcedTea</vendor>
+ <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+ <description>SignedJarResource</description>
+ <offline/>
+ </information>
+
+ <security>
+ <all-permissions/>
+ </security>
+
+ <resources>
+ <j2se version="1.6+"/>
+ <jar href="SignedJarResource.jar" main="true"/>
+ </resources>
+
+ <application-desc main-class="SignedJarResource">
+ </application-desc>
+</jnlp>
More information about the distro-pkg-dev
mailing list