# HG changeset patch # User Lillian Angel # Date 1232494660 18000 # Node ID d95ddc227d016fa959b19376f06cc5d8545b9c57 # Parent bfe44d820632558b010cf300c7380fcd59d5cd16 2009-01-20 Lillian Angel * rt/net/sourceforge/jnlp/DefaultLaunchHandler.java: Removed debug lines. * rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: Likewise. * rt/net/sourceforge/jnlp/security/AccessWarningPane.java: Updated imports. * rt/net/sourceforge/jnlp/security/AppletWarningPane.java: Updated imports. * rt/net/sourceforge/jnlp/security/CertWarningPane.java: Updated imports, added certVerifier global variable. (CertWarningPane): Initialized certVerifier. (installComponents): Added checks to determine if certificate is for an https site, and set the name/publisher/from variables appropriately. Also, customized warning pane label for https site. * rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java: (getDetails): Implemented. (addToDetails): Likewise. (R): Likewise. (getPublisher): Likewise. (getRoot): Likewise. (getRootInCacerts): Likewise. (hasSigningIssues): Likewise. (noSigningIssues): Likewise. * rt/net/sourceforge/jnlp/security/MoreInfoPane.java: Fixed imports. * rt/net/sourceforge/jnlp/security/SecurityDialogUI.java: Fixed imports. * rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java: Fixed imports. * rt/net/sourceforge/jnlp/security/SingleCertInfoPane.java: Fixed imports. * rt/net/sourceforge/jnlp/security/viewer/CertificatePane.java: Fixed imports. * rt/net/sourceforge/jnlp/tools/KeyTool.java: Removed debug lines. * rt/net/sourceforge/jnlp/security/CertVerifier.java: Moved file below, here. * rt/net/sourceforge/jnlp/tools/CertVerifier.java: Removed. * rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java: Removed debug lines. diff -r bfe44d820632 -r d95ddc227d01 ChangeLog --- a/ChangeLog Tue Jan 20 12:43:31 2009 -0500 +++ b/ChangeLog Tue Jan 20 18:37:40 2009 -0500 @@ -1,3 +1,43 @@ +2009-01-20 Lillian Angel + + * rt/net/sourceforge/jnlp/DefaultLaunchHandler.java: Removed debug + lines. + * rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: Likewise. + * rt/net/sourceforge/jnlp/security/AccessWarningPane.java: Updated + imports. + * rt/net/sourceforge/jnlp/security/AppletWarningPane.java: Updated + imports. + * rt/net/sourceforge/jnlp/security/CertWarningPane.java: Updated + imports, added certVerifier global variable. + (CertWarningPane): Initialized certVerifier. + (installComponents): Added checks to determine if certificate is for + an https site, and set the name/publisher/from variables + appropriately. Also, customized warning pane label for https site. + * rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java: + (getDetails): Implemented. + (addToDetails): Likewise. + (R): Likewise. + (getPublisher): Likewise. + (getRoot): Likewise. + (getRootInCacerts): Likewise. + (hasSigningIssues): Likewise. + (noSigningIssues): Likewise. + * rt/net/sourceforge/jnlp/security/MoreInfoPane.java: Fixed imports. + * rt/net/sourceforge/jnlp/security/SecurityDialogUI.java: Fixed + imports. + * rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java: Fixed + imports. + * rt/net/sourceforge/jnlp/security/SingleCertInfoPane.java: Fixed + imports. + * rt/net/sourceforge/jnlp/security/viewer/CertificatePane.java: Fixed + imports. + * rt/net/sourceforge/jnlp/tools/KeyTool.java: Removed debug lines. + * rt/net/sourceforge/jnlp/security/CertVerifier.java: Moved file + below, here. + * rt/net/sourceforge/jnlp/tools/CertVerifier.java: Removed. + * rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java: + Removed debug lines. + 2009-01-20 Lillian Angel * HACKING: Removed visualvm patch. diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/DefaultLaunchHandler.java --- a/rt/net/sourceforge/jnlp/DefaultLaunchHandler.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/DefaultLaunchHandler.java Tue Jan 20 18:37:40 2009 -0500 @@ -107,8 +107,6 @@ result.append(causes[i].getMessage()); result.append(")"); } - - System.out.println(result); } } diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java --- a/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Jan 20 18:37:40 2009 -0500 @@ -745,7 +745,6 @@ try { u = tracker.getCacheURL(remoteURL); - System.out.println("URL = " + u); } catch (Exception e) { throw new ClassNotFoundException(name); } diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/AccessWarningPane.java --- a/rt/net/sourceforge/jnlp/security/AccessWarningPane.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/AccessWarningPane.java Tue Jan 20 18:37:40 2009 -0500 @@ -58,7 +58,6 @@ import net.sourceforge.jnlp.JNLPFile; import net.sourceforge.jnlp.runtime.JNLPRuntime; -import net.sourceforge.jnlp.tools.CertVerifier; /** * Provides the look and feel for a SecurityWarningDialog. These dialogs are diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/AppletWarningPane.java --- a/rt/net/sourceforge/jnlp/security/AppletWarningPane.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/AppletWarningPane.java Tue Jan 20 18:37:40 2009 -0500 @@ -50,7 +50,6 @@ import javax.swing.JLabel; import javax.swing.JPanel; -import net.sourceforge.jnlp.tools.CertVerifier; public class AppletWarningPane extends SecurityDialogUI { diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/CertVerifier.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/rt/net/sourceforge/jnlp/security/CertVerifier.java Tue Jan 20 18:37:40 2009 -0500 @@ -0,0 +1,92 @@ +/* VariableX509TrustManager.java + Copyright (C) 2009 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. +*/ + +package net.sourceforge.jnlp.security; + +import java.security.cert.CertPath; +import java.security.cert.Certificate; +import java.util.ArrayList; + +/** + * An interface that provides various details about a certificate + */ + +public interface CertVerifier { + + /** + * Return if the publisher is already trusted + */ + public boolean getAlreadyTrustPublisher(); + + /** + * Return if the root is in CA certs + */ + public boolean getRootInCacerts(); + + /** + * Return if there are signing issues with the certificate(s) being veried + */ + public boolean hasSigningIssues(); + + /** + * Return if there are no signing issues with this cert (!hasSigningIssues()) + */ + public boolean noSigningIssues(); + + /** + * Get the details regarding issue(s) with this certificate + */ + public ArrayList getDetails(); + + /** + * Return a valid certificate path to this certificate(s) being verified + * @return The CertPath + */ + public ArrayList getCerts(); + + /** + * Returns the application's publisher's certificate. + */ + public abstract Certificate getPublisher(); + + /** + * Returns the application's root's certificate. This + * may return the same certificate as getPublisher() in + * the event that the application is self signed. + */ + public abstract Certificate getRoot(); +} diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/CertWarningPane.java --- a/rt/net/sourceforge/jnlp/security/CertWarningPane.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/CertWarningPane.java Tue Jan 20 18:37:40 2009 -0500 @@ -61,7 +61,6 @@ import net.sourceforge.jnlp.JNLPFile; import net.sourceforge.jnlp.PluginBridge; import net.sourceforge.jnlp.runtime.JNLPRuntime; -import net.sourceforge.jnlp.tools.CertVerifier; import net.sourceforge.jnlp.tools.KeyTool; /** @@ -75,9 +74,11 @@ public class CertWarningPane extends SecurityDialogUI { JCheckBox alwaysTrust; + CertVerifier certVerifier; public CertWarningPane(JComponent x, CertVerifier certVerifier) { super(x, certVerifier); + this.certVerifier = certVerifier; } /** @@ -88,7 +89,9 @@ ((SecurityWarningDialog)optionPane).getType(); JNLPFile file = ((SecurityWarningDialog)optionPane).getFile(); - + Certificate c = ((SecurityWarningDialog)optionPane) + .getJarSigner().getPublisher(); + String name = ""; String publisher = ""; String from = ""; @@ -96,7 +99,11 @@ //We don't worry about exceptions when trying to fill in //these strings -- we just want to fill in as many as possible. try { - if (file instanceof PluginBridge) + if ((certVerifier instanceof HttpsCertVerifier) && + (c instanceof X509Certificate)) + name = getCN(((X509Certificate)c) + .getSubjectX500Principal().getName()); + else if (file instanceof PluginBridge) name = file.getTitle(); else name = file.getInformation().getTitle(); @@ -104,8 +111,6 @@ } try { - Certificate c = ((SecurityWarningDialog)optionPane) - .getJarSigner().getPublisher(); if (c instanceof X509Certificate) { publisher = getCN(((X509Certificate)c) .getSubjectX500Principal().getName()); @@ -124,20 +129,27 @@ //Top label String topLabelText = ""; String propertyName = ""; - switch (type) { - case VERIFIED: - topLabelText = R("SSigVerified"); + if (certVerifier instanceof HttpsCertVerifier) + { + topLabelText = "The website's certificate cannot be verified. " + + "Do you want to continue?"; + propertyName = "OptionPane.warningIcon"; + } + else + switch (type) { + case VERIFIED: + topLabelText = R("SSigVerified"); propertyName = "OptionPane.informationIcon"; break; - case UNVERIFIED: + case UNVERIFIED: topLabelText = R("SSigUnverified"); propertyName = "OptionPane.warningIcon"; break; - case SIGNING_ERROR: + case SIGNING_ERROR: topLabelText = R("SSignatureError"); propertyName = "OptionPane.warningIcon"; break; - } + } ImageIcon icon = new ImageIcon((new sun.misc.Launcher()) .getClassLoader().getResource("net/sourceforge/jnlp/resources/warning.png")); JLabel topLabel = new JLabel(htmlWrap(topLabelText), icon, SwingConstants.LEFT); @@ -164,7 +176,10 @@ JPanel infoPanel = new JPanel(new GridLayout(4,1)); infoPanel.add(nameLabel); infoPanel.add(publisherLabel); - infoPanel.add(fromLabel); + + if (!(certVerifier instanceof HttpsCertVerifier)) + infoPanel.add(fromLabel); + infoPanel.add(alwaysTrust); infoPanel.setBorder(BorderFactory.createEmptyBorder(25,25,25,25)); diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java --- a/rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java Tue Jan 20 18:37:40 2009 -0500 @@ -41,16 +41,20 @@ import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.CertificateExpiredException; import java.security.cert.X509Certificate; import java.util.ArrayList; -import net.sourceforge.jnlp.tools.CertVerifier; - +import net.sourceforge.jnlp.runtime.JNLPRuntime; +import net.sourceforge.jnlp.tools.KeyTool; + public class HttpsCertVerifier implements CertVerifier { private VariableX509TrustManager tm; private X509Certificate[] chain; private String authType; + private ArrayList details = new ArrayList(); public HttpsCertVerifier(VariableX509TrustManager tm, X509Certificate[] chain, String authType) { this.tm = tm; @@ -87,32 +91,84 @@ } public ArrayList getDetails() { - // TODO Auto-generated method stub - return new ArrayList(); + boolean hasExpiredCert=false; + boolean hasExpiringCert=false; + boolean notYetValidCert=false; + boolean isUntrusted=false; + + if (! getAlreadyTrustPublisher()) + isUntrusted = true; + + for (int i=0; i < chain.length; i++) + { + X509Certificate cert = chain[i]; + + long now = System.currentTimeMillis(); + long SIX_MONTHS = 180*24*60*60*1000L; + long notAfter = cert.getNotAfter().getTime(); + if (notAfter < now) { + hasExpiredCert = true; + } else if (notAfter < now + SIX_MONTHS) { + hasExpiringCert = true; + } + + try { + cert.checkValidity(); + } catch (CertificateNotYetValidException cnyve) { + notYetValidCert = true; + } catch (CertificateExpiredException cee) { + hasExpiredCert = true; + } + } + + if (isUntrusted || hasExpiredCert || hasExpiringCert || notYetValidCert) { + if (isUntrusted) + addToDetails(R("SUntrustedCertificate")); + if (hasExpiredCert) + addToDetails(R("SHasExpiredCert")); + if (hasExpiringCert) + addToDetails(R("SHasExpiringCert")); + if (notYetValidCert) + addToDetails(R("SNotYetValidCert")); + } + return details; + } + + private void addToDetails(String detail) { + if (!details.contains(detail)) + details.add(detail); + } + + private static String R(String key) { + return JNLPRuntime.getMessage(key); } public Certificate getPublisher() { - // TODO Auto-generated method stub - return null; + if (chain.length > 0) + return (Certificate)chain[0]; + return null; } public Certificate getRoot() { - // TODO Auto-generated method stub - return null; + if (chain.length > 0) + return (Certificate)chain[chain.length - 1]; + return null; } public boolean getRootInCacerts() { - // TODO Auto-generated method stub - return false; + try { + KeyTool kt = new KeyTool(); + return kt.checkCacertsForCertificate(getRoot()); + } catch (Exception e) { + } + return false; } public boolean hasSigningIssues() { - // TODO Auto-generated method stub return false; } public boolean noSigningIssues() { - // TODO Auto-generated method stub return false; } diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/MoreInfoPane.java --- a/rt/net/sourceforge/jnlp/security/MoreInfoPane.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/MoreInfoPane.java Tue Jan 20 18:37:40 2009 -0500 @@ -53,7 +53,6 @@ import javax.swing.SwingConstants; import net.sourceforge.jnlp.runtime.JNLPRuntime; -import net.sourceforge.jnlp.tools.CertVerifier; /** * Provides the UI for the More Info dialog. This dialog shows details about an diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/SecurityDialogUI.java --- a/rt/net/sourceforge/jnlp/security/SecurityDialogUI.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/SecurityDialogUI.java Tue Jan 20 18:37:40 2009 -0500 @@ -54,7 +54,6 @@ import javax.swing.plaf.OptionPaneUI; import net.sourceforge.jnlp.runtime.JNLPRuntime; -import net.sourceforge.jnlp.tools.CertVerifier; /** * Provides a base for JNLP warning dialogs. diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java --- a/rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java Tue Jan 20 18:37:40 2009 -0500 @@ -38,7 +38,6 @@ package net.sourceforge.jnlp.security; import net.sourceforge.jnlp.JNLPFile; -import net.sourceforge.jnlp.tools.CertVerifier; import java.awt.*; import javax.swing.*; diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/SingleCertInfoPane.java --- a/rt/net/sourceforge/jnlp/security/SingleCertInfoPane.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/SingleCertInfoPane.java Tue Jan 20 18:37:40 2009 -0500 @@ -45,7 +45,6 @@ import javax.swing.tree.DefaultMutableTreeNode; import javax.swing.tree.TreeSelectionModel; -import net.sourceforge.jnlp.tools.CertVerifier; public class SingleCertInfoPane extends CertsInfoPane { diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java --- a/rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java Tue Jan 20 18:37:40 2009 -0500 @@ -144,9 +144,6 @@ * @param checkOnly Whether to "check only" i.e. no user prompt, or to prompt for permission */ public void checkServerTrusted(X509Certificate[] chain, String authType, boolean checkOnly) throws CertificateException { - for (int i=0; i < chain.length; i++) - System.err.println("checkServerTrusted chain@" + i + " = " + chain[i]); - try { checkAllManagers(chain, authType); } catch (CertificateException ce) { diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/security/viewer/CertificatePane.java --- a/rt/net/sourceforge/jnlp/security/viewer/CertificatePane.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/security/viewer/CertificatePane.java Tue Jan 20 18:37:40 2009 -0500 @@ -63,10 +63,10 @@ import javax.swing.UIManager; import javax.swing.table.DefaultTableModel; +import net.sourceforge.jnlp.security.CertVerifier; import net.sourceforge.jnlp.security.SecurityDialogUI; import net.sourceforge.jnlp.security.SecurityUtil; import net.sourceforge.jnlp.security.SecurityWarningDialog; -import net.sourceforge.jnlp.tools.CertVerifier; import net.sourceforge.jnlp.tools.KeyTool; //import java.security.KeyStoreException; diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/tools/CertVerifier.java --- a/rt/net/sourceforge/jnlp/tools/CertVerifier.java Tue Jan 20 12:43:31 2009 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,92 +0,0 @@ -/* VariableX509TrustManager.java - Copyright (C) 2009 Red Hat, Inc. - -This file is part of IcedTea. - -IcedTea is free software; you can redistribute it and/or -modify it under the terms of the GNU General Public License as published by -the Free Software Foundation, version 2. - -IcedTea is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -General Public License for more details. - -You should have received a copy of the GNU General Public License -along with IcedTea; see the file COPYING. If not, write to -the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -02110-1301 USA. - -Linking this library statically or dynamically with other modules is -making a combined work based on this library. Thus, the terms and -conditions of the GNU General Public License cover the whole -combination. - -As a special exception, the copyright holders of this library give you -permission to link this library with independent modules to produce an -executable, regardless of the license terms of these independent -modules, and to copy and distribute the resulting executable under -terms of your choice, provided that you also meet, for each linked -independent module, the terms and conditions of the license of that -module. An independent module is a module which is not derived from -or based on this library. If you modify this library, you may extend -this exception to your version of the library, but you are not -obligated to do so. If you do not wish to do so, delete this -exception statement from your version. -*/ - -package net.sourceforge.jnlp.tools; - -import java.security.cert.CertPath; -import java.security.cert.Certificate; -import java.util.ArrayList; - -/** - * An interface that provides various details about a certificate - */ - -public interface CertVerifier { - - /** - * Return if the publisher is already trusted - */ - public boolean getAlreadyTrustPublisher(); - - /** - * Return if the root is in CA certs - */ - public boolean getRootInCacerts(); - - /** - * Return if there are signing issues with the certificate(s) being veried - */ - public boolean hasSigningIssues(); - - /** - * Return if there are no signing issues with this cert (!hasSigningIssues()) - */ - public boolean noSigningIssues(); - - /** - * Get the details regarding issue(s) with this certificate - */ - public ArrayList getDetails(); - - /** - * Return a valid certificate path to this certificate(s) being verified - * @return The CertPath - */ - public ArrayList getCerts(); - - /** - * Returns the application's publisher's certificate. - */ - public abstract Certificate getPublisher(); - - /** - * Returns the application's root's certificate. This - * may return the same certificate as getPublisher() in - * the event that the application is self signed. - */ - public abstract Certificate getRoot(); -} \ No newline at end of file diff -r bfe44d820632 -r d95ddc227d01 rt/net/sourceforge/jnlp/tools/KeyTool.java --- a/rt/net/sourceforge/jnlp/tools/KeyTool.java Tue Jan 20 12:43:31 2009 -0500 +++ b/rt/net/sourceforge/jnlp/tools/KeyTool.java Tue Jan 20 18:37:40 2009 -0500 @@ -374,7 +374,6 @@ j++; } //return newChain; - System.out.println("newChain's size: " + newChain.length); return newChain != null; } else { throw new Exception("Failed to establish chain from reply");