Mercurial > hg > release > icedtea-web-1.6
changeset 275:68756a4f8cc0
PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted.
author | Danesh Dadachanji <ddadacha@redhat.com> |
---|---|
date | Thu, 11 Aug 2011 14:11:41 -0400 |
parents | 27f08d58854f |
children | dab2238acd6b |
files | ChangeLog NEWS netx/net/sourceforge/jnlp/tools/JarSigner.java |
diffstat | 3 files changed, 16 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Tue Aug 09 17:34:35 2011 -0400 +++ b/ChangeLog Thu Aug 11 14:11:41 2011 -0400 @@ -1,3 +1,11 @@ +2011-08-11 Danesh Dadachanji <ddadacha@redhat.com> + + PR742: IcedTea-Web checks certs only upto 1 level deep before declaring + them untrusted. + * NEWS: Updated. + * netx/net/sourceforge/jnlp/tools/JarSigner.java: + (checkTrustedCerts): All certs along certPath are now checked for trust. + 2011-08-09 Deepak Bhole <dbhole@redhat.com> PR771: IcedTea-Web certificate verification code does not use the right
--- a/NEWS Tue Aug 09 17:34:35 2011 -0400 +++ b/NEWS Thu Aug 11 14:11:41 2011 -0400 @@ -19,6 +19,7 @@ Common - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up - PR771: IcedTea-Web certificate verification code does not use the right API + - PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted. New in release 1.1 (2011-XX-XX): * Security updates
--- a/netx/net/sourceforge/jnlp/tools/JarSigner.java Tue Aug 09 17:34:35 2011 -0400 +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java Thu Aug 11 14:11:41 2011 -0400 @@ -373,7 +373,13 @@ alreadyTrustPublisher = CertificateUtils.inKeyStores(publisher, certKeyStores); X509Certificate root = (X509Certificate) getRoot(); KeyStore[] caKeyStores = KeyStores.getCAKeyStores(); - rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores); + // Check entire cert path for a trusted CA + for (Certificate c : certPath.getCertificates()) { + if ((rootInCacerts = CertificateUtils.inKeyStores( + (X509Certificate) c, caKeyStores))) { + break; + } + } } catch (Exception e) { // TODO: Warn user about not being able to // look through their cacerts/trusted.certs