Mercurial > hg > release > icedtea-web-1.7

--- a/ChangeLog	Fri Mar 02 10:18:08 2018 +0100
+++ b/ChangeLog	Fri Mar 02 10:21:15 2018 +0100
@@ -1,3 +1,12 @@
+2018-02-03  Jiri Vanek <jvanek@redhat.com>
+
+	nosecurity switch made extendable also for certificate issues
+	* netx/net/sourceforge/jnlp/config/Defaults.java: set deployment.security.itw.ignorecertissues
+	* netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java: added deployment.security.itw.ignorecertissues
+	* netx/net/sourceforge/jnlp/resources/Messages.properties: BONosecurity is now tailed by rumor about deployment.security.itw.ignorecertissues
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: when ITW was about to throw certificate-caused launch exception,
+	it i snow consulted with nosecurity and deployment.security.itw.ignorecertissues. If both are here, exception is only printed
+
 2018-02-03  Jiri Vanek <jvanek@redhat.com>

 	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: autoformatted
--- a/netx/net/sourceforge/jnlp/config/Defaults.java	Fri Mar 02 10:18:08 2018 +0100
+++ b/netx/net/sourceforge/jnlp/config/Defaults.java	Fri Mar 02 10:21:15 2018 +0100
@@ -226,6 +226,11 @@
                         String.valueOf(false)
                 },
                 {
+                        DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES,
+                        BasicValueValidators.getBooleanValidator(),
+                        String.valueOf(false)
+                },
+                {
                         DeploymentConfiguration.KEY_SECURITY_PROMPT_USER_FOR_JNLP,
                         BasicValueValidators.getBooleanValidator(),
                         String.valueOf(true)
@@ -445,4 +450,4 @@

         return result;
     }
-}
\ No newline at end of file
+}
--- a/netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java	Fri Mar 02 10:18:08 2018 +0100
+++ b/netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java	Fri Mar 02 10:21:15 2018 +0100
@@ -150,6 +150,9 @@
     /** Boolean. Only install the custom authenticator if true */
     public static final String KEY_SECURITY_INSTALL_AUTHENTICATOR = "deployment.security.authenticator";

+    /** Boolean. Only install the custom authenticator if true */
+    public static final String KEY_SECURITY_ITW_IGNORECERTISSUES = "deployment.security.itw.ignorecertissues";
+
     public static final String KEY_STRICT_JNLP_CLASSLOADER = "deployment.jnlpclassloader.strict";

     /** Boolean. Do not prefere https over http */
--- a/netx/net/sourceforge/jnlp/resources/Messages.properties	Fri Mar 02 10:18:08 2018 +0100
+++ b/netx/net/sourceforge/jnlp/resources/Messages.properties	Fri Mar 02 10:21:15 2018 +0100
@@ -337,7 +337,7 @@
 BOVerbose   = Enable verbose output.
 BOAbout     = Shows a sample application.
 BOVersion   = Print the IcedTea-Web version and exit.
-BONosecurity= Disables the secure runtime environment.
+BONosecurity= Disables the secure runtime environment. You need also  deployment.security.itw.ignorecertissues to workaround corrupted signatures
 BONoupdate  = Disables checking for updates.
 BOHeadless  = Disables download window, other UIs.
 BOStrict    = Enables strict checking of JNLP file format.
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Fri Mar 02 10:18:08 2018 +0100
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Fri Mar 02 10:21:15 2018 +0100
@@ -68,6 +68,7 @@
 import net.sourceforge.jnlp.LaunchDesc;
 import net.sourceforge.jnlp.LaunchException;
 import net.sourceforge.jnlp.NullJnlpFileException;
+import net.sourceforge.jnlp.OptionsDefinitions;
 import net.sourceforge.jnlp.ParseException;
 import net.sourceforge.jnlp.ParserSettings;
 import net.sourceforge.jnlp.PluginBridge;
@@ -89,6 +90,7 @@
 import net.sourceforge.jnlp.util.StreamUtils;
 import net.sourceforge.jnlp.util.UrlUtils;
 import net.sourceforge.jnlp.util.logging.OutputController;
+import static net.sourceforge.jnlp.runtime.Translator.R;

 /**
  * Classloader that takes it's resources from a JNLP file. If the JNLP file
@@ -342,6 +344,20 @@

     }

+    public static boolean isCertUnderestimated() {
+        return Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES))
+                && !JNLPRuntime.isSecurityEnabled();
+    }
+
+    private static void consultCertificateSecurityException(LaunchException ex) throws LaunchException {
+        if (isCertUnderestimated()) {
+            OutputController.getLogger().log(OptionsDefinitions.OPTIONS.NOSEC.option + " and " + DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES + " are declared. Ignoring certificate issue");
+            OutputController.getLogger().log(ex);
+        } else {
+            throw ex;
+        }
+    }
+
     public boolean isStrict() {
         return strict;
     }
@@ -719,8 +735,9 @@
                 //Note: one of these exceptions could be from not being able
                 //to read the cacerts or trusted.certs files.
                 OutputController.getLogger().log(OutputController.Level.ERROR_ALL, e);
-                throw new LaunchException(null, null, R("LSFatal"),
+                LaunchException ex = new LaunchException(null, null, R("LSFatal"),
                         R("LCInit"), R("LFatalVerification"), R("LFatalVerificationInfo") + ": " + e.getMessage());
+                consultCertificateSecurityException(ex);
             }

             //Case when at least one jar has some signing
@@ -1090,13 +1107,14 @@
              * Throws LaunchException if signed JNLP file fails to be verified
              * or fails to match the launching JNLP file
              */
-            throw new LaunchException(file, null, R("LSFatal"), R("LCClient"),
+            LaunchException ex = new LaunchException(file, null, R("LSFatal"), R("LCClient"),
                     R("LSignedJNLPFileDidNotMatch"), R(e.getMessage()));
-
+            consultCertificateSecurityException(ex);
             /*
              * Throwing this exception will fail to initialize the application
              * resulting in the termination of the application
              */
+
         } catch (Exception e) {

             OutputController.getLogger().log(e);
@@ -2456,11 +2474,19 @@
              */ if (!runInSandbox && !classLoader.getSigning()
                     && !classLoader.file.getSecurity().getSecurityType().equals(SecurityDesc.SANDBOX_PERMISSIONS)) {
                 if (classLoader.jcv.allJarsSigned()) {
-                    throw new LaunchException(classLoader.file, null, R("LSFatal"), R("LCClient"), R("LSignedJNLPAppDifferentCerts"), R("LSignedJNLPAppDifferentCertsInfo"));
+                    LaunchException ex = new LaunchException(classLoader.file, null, R("LSFatal"), R("LCClient"), R("LSignedJNLPAppDifferentCerts"), R("LSignedJNLPAppDifferentCertsInfo"));
+                    consultCertificateSecurityException(ex);
+                    return consultResult(codebaseHost);
                 } else {
-                    throw new LaunchException(classLoader.file, null, R("LSFatal"), R("LCClient"), R("LUnsignedJarWithSecurity"), R("LUnsignedJarWithSecurityInfo"));
+                    LaunchException ex = new LaunchException(classLoader.file, null, R("LSFatal"), R("LCClient"), R("LUnsignedJarWithSecurity"), R("LUnsignedJarWithSecurityInfo"));;
+                    consultCertificateSecurityException(ex);
+                    return consultResult(codebaseHost);
                 }
-            } else if (!runInSandbox && classLoader.getSigning()) {
+            } else return consultResult(codebaseHost);
+        }
+
+        private SecurityDesc consultResult(URL codebaseHost){
+            if (!runInSandbox && classLoader.getSigning()) {
                 return classLoader.file.getSecurity();
             } else {
                 return new SecurityDesc(classLoader.file,