[rfc][icedtea-web] Fixing PR722: unsigned entries should be ignored in META-INF/

[Deepak Bhole]

* Adam Domurad <adomurad at redhat.com> [2012-06-12 12:43]:
> So afaik the consensus is that this doesn't cause security problems, and
> is the behaviour of Oracle's plugin, thus here is a simple patch. I have
> done some testing with dropping unsigned files into the META-INF/, and
> everything seems to be in working order.
> 

Does this also prompt the user to make sure they agree to allowing it?

Deepak

> ChangeLog:
> 2012-06-12  Adam Domurad  <adomurad at redhat.com>
> 
> 	Fixes PR722, javaws failing to run with unsigned content in META-INF/
> 	* netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: Changed
> 	isSignatureRelated => isMetaInfFile. Now all files under META-INF/ are
> 	disregarded in checking the jar signage.

> diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
> --- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
> +++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
> @@ -277,7 +277,7 @@ public class JarCertVerifier implements 
>                      anySigned |= isSigned;
>  
>                      boolean shouldHaveSignature = !je.isDirectory()
> -                                                && !signatureRelated(name);
> +                                                && !isMetaInfFile(name);
>  
>                      hasUnsignedEntry |= shouldHaveSignature &&  !isSigned;
>  
> @@ -438,32 +438,18 @@ public class JarCertVerifier implements 
>      }
>  
>      /**
> -     * signature-related files include:
> +     * Returns whether a file is in META-INF, and thus does not require signing.
> +     *
> +     * Signature-related files under META-INF include:
>       * . META-INF/MANIFEST.MF
>       * . META-INF/SIG-*
>       * . META-INF/*.SF
>       * . META-INF/*.DSA
>       * . META-INF/*.RSA
> -     *
> -     * Required for verifyJar()
>       */
> -    private boolean signatureRelated(String name) {
> +    static private boolean isMetaInfFile(String name) {
>          String ucName = name.toUpperCase();
> -        if (ucName.equals(JarFile.MANIFEST_NAME) ||
> -                ucName.equals(META_INF) ||
> -                (ucName.startsWith(SIG_PREFIX) &&
> -                 ucName.indexOf("/") == ucName.lastIndexOf("/"))) {
> -            return true;
> -        }
> -
> -        if (ucName.startsWith(META_INF) &&
> -                SignatureFileVerifier.isBlockOrSF(ucName)) {
> -            // .SF/.DSA/.RSA files in META-INF subdirs
> -            // are not considered signature-related
> -            return (ucName.indexOf("/") == ucName.lastIndexOf("/"));
> -        }
> -
> -        return false;
> +        return ucName.startsWith(META_INF);
>      }
>  
>      /**