Mercurial > hg > release > icedtea-web-1.2

--- a/ChangeLog	Tue Aug 09 17:34:35 2011 -0400
+++ b/ChangeLog	Thu Aug 11 14:11:41 2011 -0400
@@ -1,3 +1,11 @@
+2011-08-11  Danesh Dadachanji <ddadacha@redhat.com>
+
+	PR742: IcedTea-Web checks certs only upto 1 level deep before declaring
+	them untrusted.
+	* NEWS: Updated.
+	* netx/net/sourceforge/jnlp/tools/JarSigner.java:
+	(checkTrustedCerts): All certs along certPath are now checked for trust.
+
 2011-08-09  Deepak Bhole <dbhole@redhat.com>

 	PR771: IcedTea-Web certificate verification code does not use the right
--- a/NEWS	Tue Aug 09 17:34:35 2011 -0400
+++ b/NEWS	Thu Aug 11 14:11:41 2011 -0400
@@ -19,6 +19,7 @@
 Common
   - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up
   - PR771: IcedTea-Web certificate verification code does not use the right API
+  - PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted.

 New in release 1.1 (2011-XX-XX):
 * Security updates
--- a/netx/net/sourceforge/jnlp/tools/JarSigner.java	Tue Aug 09 17:34:35 2011 -0400
+++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java	Thu Aug 11 14:11:41 2011 -0400
@@ -373,7 +373,13 @@
                 alreadyTrustPublisher = CertificateUtils.inKeyStores(publisher, certKeyStores);
                 X509Certificate root = (X509Certificate) getRoot();
                 KeyStore[] caKeyStores = KeyStores.getCAKeyStores();
-                rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores);
+                // Check entire cert path for a trusted CA
+                for (Certificate c : certPath.getCertificates()) {
+                	if ((rootInCacerts = CertificateUtils.inKeyStores(
+                            (X509Certificate) c, caKeyStores))) {
+                        break;
+                    }
+                }
             } catch (Exception e) {
                 // TODO: Warn user about not being able to
                 // look through their cacerts/trusted.certs