Mercurial > hg > release > icedtea-web-1.6
changeset 273:9b7eca03a9ea
PR771: IcedTea-Web certificate verification code does not use the right API
| author | Deepak Bhole <dbhole@redhat.com> |
|---|---|
| date | Tue, 09 Aug 2011 17:29:45 -0400 |
| parents | defa7d0051bf |
| children | 27f08d58854f |
| files | ChangeLog NEWS netx/net/sourceforge/jnlp/security/CertificateUtils.java |
| diffstat | 3 files changed, 43 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Wed Aug 03 14:11:11 2011 -0400 +++ b/ChangeLog Tue Aug 09 17:29:45 2011 -0400 @@ -1,3 +1,11 @@ +2011-08-09 Deepak Bhole <dbhole@redhat.com> + + PR771: IcedTea-Web certificate verification code does not use the right + API + * netx/net/sourceforge/jnlp/security/CertificateUtils.java + (inKeyStores): Use Certificate.verify to correctly verify a certificate + against a public key in the store. + 2011-08-03 Saad Mohammad <smohammad@redhat.com> * netx/net/sourceforge/jnlp/JNLPMatcher.java:
--- a/NEWS Wed Aug 03 14:11:11 2011 -0400 +++ b/NEWS Tue Aug 09 17:29:45 2011 -0400 @@ -16,6 +16,7 @@ - PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow Common - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up + - PR771: IcedTea-Web certificate verification code does not use the right API New in release 1.1 (2011-XX-XX): * Security updates
--- a/netx/net/sourceforge/jnlp/security/CertificateUtils.java Wed Aug 03 14:11:11 2011 -0400 +++ b/netx/net/sourceforge/jnlp/security/CertificateUtils.java Tue Aug 09 17:29:45 2011 -0400 @@ -43,16 +43,20 @@ import java.io.IOException; import java.io.PrintStream; import java.math.BigInteger; +import java.security.InvalidKeyException; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SignatureException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.util.Enumeration; import java.util.Random; import net.sourceforge.jnlp.runtime.JNLPRuntime; - import sun.misc.BASE64Encoder; import sun.security.provider.X509Factory; @@ -122,11 +126,36 @@ public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) { for (int i = 0; i < keyStores.length; i++) { try { - if (keyStores[i].getCertificateAlias(c) != null) { - if (JNLPRuntime.isDebug()) { - System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts"); + // Check against all certs + Enumeration<String> aliases = keyStores[i].aliases(); + while (aliases.hasMoreElements()) { + String alias = aliases.nextElement(); + try { + // Verify against this entry + c.verify(keyStores[i].getCertificate(alias).getPublicKey()); + + if (JNLPRuntime.isDebug()) { + System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts"); + } + + // If we got here, it means verification succeeded. Return true. + return true; + } catch (NoSuchAlgorithmException nsae) { + // Unsupported signature algorithm + // Consider non-match and keep going + } catch (InvalidKeyException ike) { + // Incorrect/corrupt key + // Consider non-match and keep going + } catch (NoSuchProviderException nspe) { + // No default provider + // Consider non-match and keep going + } catch (SignatureException se) { + // Signature error + // Consider non-match and keep going + } catch (CertificateException ce) { + // Encoding error + // Consider non-match and keep going } - return true; } } catch (KeyStoreException e) { e.printStackTrace();