Mercurial > hg > release > icedtea6-1.4.1

--- a/ChangeLog	Tue Jan 20 12:43:31 2009 -0500
+++ b/ChangeLog	Tue Jan 20 18:37:40 2009 -0500
@@ -1,3 +1,43 @@
+2009-01-20  Lillian Angel  <langel@redhat.com>
+
+	* rt/net/sourceforge/jnlp/DefaultLaunchHandler.java: Removed debug
+	lines.
+	* rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: Likewise.
+	* rt/net/sourceforge/jnlp/security/AccessWarningPane.java: Updated
+	imports.
+	* rt/net/sourceforge/jnlp/security/AppletWarningPane.java: Updated
+	imports.
+	* rt/net/sourceforge/jnlp/security/CertWarningPane.java: Updated
+	imports, added certVerifier global variable.
+	(CertWarningPane): Initialized certVerifier.
+	(installComponents): Added checks to determine if certificate is for
+	an https site, and set the name/publisher/from variables
+	appropriately. Also, customized warning pane label for https site.
+	* rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java:
+	(getDetails): Implemented.
+	(addToDetails): Likewise.
+	(R): Likewise.
+	(getPublisher): Likewise.
+	(getRoot): Likewise.
+	(getRootInCacerts): Likewise.
+	(hasSigningIssues): Likewise.
+	(noSigningIssues): Likewise.
+	* rt/net/sourceforge/jnlp/security/MoreInfoPane.java: Fixed imports.
+	* rt/net/sourceforge/jnlp/security/SecurityDialogUI.java: Fixed
+	imports.
+	* rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java: Fixed
+	imports.
+	* rt/net/sourceforge/jnlp/security/SingleCertInfoPane.java: Fixed
+	imports.
+	* rt/net/sourceforge/jnlp/security/viewer/CertificatePane.java: Fixed
+	imports.
+	* rt/net/sourceforge/jnlp/tools/KeyTool.java: Removed debug lines.
+	* rt/net/sourceforge/jnlp/security/CertVerifier.java: Moved file
+	below, here.
+	* rt/net/sourceforge/jnlp/tools/CertVerifier.java: Removed.
+	* rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java:
+	Removed debug lines.
+
 2009-01-20  Lillian Angel  <langel@redhat.com>

 	* HACKING: Removed visualvm patch.
--- a/rt/net/sourceforge/jnlp/DefaultLaunchHandler.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/DefaultLaunchHandler.java	Tue Jan 20 18:37:40 2009 -0500
@@ -107,8 +107,6 @@
             result.append(causes[i].getMessage());
             result.append(")");
         }
-
-        System.out.println(result);
     }

 }
--- a/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Jan 20 18:37:40 2009 -0500
@@ -745,7 +745,6 @@

                             try {
                                 u = tracker.getCacheURL(remoteURL);
-                                System.out.println("URL = " + u);
                             } catch (Exception e) {
                                 throw new ClassNotFoundException(name);
                             }
--- a/rt/net/sourceforge/jnlp/security/AccessWarningPane.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/AccessWarningPane.java	Tue Jan 20 18:37:40 2009 -0500
@@ -58,7 +58,6 @@

 import net.sourceforge.jnlp.JNLPFile;
 import net.sourceforge.jnlp.runtime.JNLPRuntime;
-import net.sourceforge.jnlp.tools.CertVerifier;

 /**
  * Provides the look and feel for a SecurityWarningDialog. These dialogs are
--- a/rt/net/sourceforge/jnlp/security/AppletWarningPane.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/AppletWarningPane.java	Tue Jan 20 18:37:40 2009 -0500
@@ -50,7 +50,6 @@
 import javax.swing.JLabel;
 import javax.swing.JPanel;

-import net.sourceforge.jnlp.tools.CertVerifier;

 public class AppletWarningPane extends SecurityDialogUI {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/rt/net/sourceforge/jnlp/security/CertVerifier.java	Tue Jan 20 18:37:40 2009 -0500
@@ -0,0 +1,92 @@
+/* VariableX509TrustManager.java
+   Copyright (C) 2009 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.security;
+
+import java.security.cert.CertPath;
+import java.security.cert.Certificate;
+import java.util.ArrayList;
+
+/**
+ * An interface that provides various details about a certificate
+ */
+
+public interface CertVerifier {
+
+    /**
+     * Return if the publisher is already trusted
+     */
+    public boolean getAlreadyTrustPublisher();
+
+    /**
+     * Return if the root is in CA certs
+     */
+    public boolean getRootInCacerts();
+
+    /**
+     * Return if there are signing issues with the certificate(s) being veried
+     */
+    public boolean hasSigningIssues();
+
+    /**
+     * Return if there are no signing issues with this cert (!hasSigningIssues())
+     */
+    public boolean noSigningIssues();
+
+    /**
+     * Get the details regarding issue(s) with this certificate
+     */
+    public ArrayList<String> getDetails();
+
+    /**
+     * Return a valid certificate path to this certificate(s) being verified
+     * @return The CertPath
+     */
+    public ArrayList<CertPath> getCerts();
+
+    /**
+     * Returns the application's publisher's certificate.
+     */
+    public abstract Certificate getPublisher();
+
+    /**
+     * Returns the application's root's certificate. This
+     * may return the same certificate as getPublisher() in
+     * the event that the application is self signed.
+     */
+    public abstract Certificate getRoot();
+}
--- a/rt/net/sourceforge/jnlp/security/CertWarningPane.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/CertWarningPane.java	Tue Jan 20 18:37:40 2009 -0500
@@ -61,7 +61,6 @@
 import net.sourceforge.jnlp.JNLPFile;
 import net.sourceforge.jnlp.PluginBridge;
 import net.sourceforge.jnlp.runtime.JNLPRuntime;
-import net.sourceforge.jnlp.tools.CertVerifier;
 import net.sourceforge.jnlp.tools.KeyTool;

 /**
@@ -75,9 +74,11 @@
 public class CertWarningPane extends SecurityDialogUI {

 	JCheckBox alwaysTrust;
+	CertVerifier certVerifier;

 	public CertWarningPane(JComponent x, CertVerifier certVerifier) {
 		super(x, certVerifier);
+		this.certVerifier = certVerifier;
 	}

 	/**
@@ -88,7 +89,9 @@
 			((SecurityWarningDialog)optionPane).getType();
 		JNLPFile file =
 			((SecurityWarningDialog)optionPane).getFile();
-
+		Certificate c = ((SecurityWarningDialog)optionPane)
+                                .getJarSigner().getPublisher();
+
 		String name = "";
 		String publisher = "";
 		String from = "";
@@ -96,7 +99,11 @@
 		//We don't worry about exceptions when trying to fill in
 		//these strings -- we just want to fill in as many as possible.
 		try {
-			if (file instanceof PluginBridge)
+			if ((certVerifier instanceof HttpsCertVerifier) &&
+			     (c instanceof X509Certificate))
+			   name = getCN(((X509Certificate)c)
+                                        .getSubjectX500Principal().getName());
+			else if (file instanceof PluginBridge)
 				name = file.getTitle();
 			else
 				name = file.getInformation().getTitle();
@@ -104,8 +111,6 @@
 		}

 		try {
-			Certificate c = ((SecurityWarningDialog)optionPane)
-				.getJarSigner().getPublisher();
 			if (c instanceof X509Certificate) {
 				publisher = getCN(((X509Certificate)c)
 					.getSubjectX500Principal().getName());
@@ -124,20 +129,27 @@
 		//Top label
 		String topLabelText = "";
 		String propertyName = "";
-		switch (type) {
-		case VERIFIED:
-			topLabelText = R("SSigVerified");
+		if (certVerifier instanceof HttpsCertVerifier)
+		{
+		  topLabelText = "The website's certificate cannot be verified. " +
+				 "Do you want to continue?";
+		  propertyName = "OptionPane.warningIcon";
+		}
+		else
+		  switch (type) {
+		  case VERIFIED:
+		 	topLabelText = R("SSigVerified");
 			propertyName = "OptionPane.informationIcon";
 			break;
-		case UNVERIFIED:
+		  case UNVERIFIED:
 			topLabelText = R("SSigUnverified");
 			propertyName = "OptionPane.warningIcon";
 			break;
-		case SIGNING_ERROR:
+	  	  case SIGNING_ERROR:
 			topLabelText = R("SSignatureError");
 			propertyName = "OptionPane.warningIcon";
 			break;
-		}
+		  }
 		ImageIcon icon = new ImageIcon((new sun.misc.Launcher())
 				.getClassLoader().getResource("net/sourceforge/jnlp/resources/warning.png"));
 		JLabel topLabel = new JLabel(htmlWrap(topLabelText), icon, SwingConstants.LEFT);
@@ -164,7 +176,10 @@
 		JPanel infoPanel = new JPanel(new GridLayout(4,1));
 		infoPanel.add(nameLabel);
 		infoPanel.add(publisherLabel);
-		infoPanel.add(fromLabel);
+
+		if (!(certVerifier instanceof HttpsCertVerifier))
+		  infoPanel.add(fromLabel);
+
 		infoPanel.add(alwaysTrust);
 		infoPanel.setBorder(BorderFactory.createEmptyBorder(25,25,25,25));
--- a/rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java	Tue Jan 20 18:37:40 2009 -0500
@@ -41,16 +41,20 @@
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CertificateExpiredException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;

-import net.sourceforge.jnlp.tools.CertVerifier;
-
+import net.sourceforge.jnlp.runtime.JNLPRuntime;
+import net.sourceforge.jnlp.tools.KeyTool;
+
 public class HttpsCertVerifier implements CertVerifier {

     private VariableX509TrustManager tm;
     private X509Certificate[] chain;
     private String authType;
+    private ArrayList<String> details = new ArrayList<String>();

     public HttpsCertVerifier(VariableX509TrustManager tm, X509Certificate[] chain, String authType) {
         this.tm = tm;
@@ -87,32 +91,84 @@
     }

     public ArrayList<String> getDetails() {
-        // TODO Auto-generated method stub
-        return new ArrayList<String>();
+	boolean hasExpiredCert=false;
+	boolean hasExpiringCert=false;
+	boolean notYetValidCert=false;
+	boolean isUntrusted=false;
+
+	if (! getAlreadyTrustPublisher())
+              isUntrusted = true;
+
+	for (int i=0; i < chain.length; i++)
+	{
+	   X509Certificate cert = chain[i];
+
+           long now = System.currentTimeMillis();
+           long SIX_MONTHS = 180*24*60*60*1000L;
+	   long notAfter = cert.getNotAfter().getTime();
+           if (notAfter < now) {
+             hasExpiredCert = true;
+           } else if (notAfter < now + SIX_MONTHS) {
+             hasExpiringCert = true;
+           }
+
+	   try {
+	     cert.checkValidity();
+	   } catch (CertificateNotYetValidException cnyve) {
+             notYetValidCert = true;
+	   } catch (CertificateExpiredException cee) {
+	     hasExpiredCert = true;
+	   }
+	}
+
+	if (isUntrusted || hasExpiredCert || hasExpiringCert || notYetValidCert) {
+	      if (isUntrusted)
+	        addToDetails(R("SUntrustedCertificate"));
+              if (hasExpiredCert)
+                addToDetails(R("SHasExpiredCert"));
+              if (hasExpiringCert)
+                addToDetails(R("SHasExpiringCert"));
+              if (notYetValidCert)
+                addToDetails(R("SNotYetValidCert"));
+        }
+	return details;
+    }
+
+    private void addToDetails(String detail) {
+      if (!details.contains(detail))
+        details.add(detail);
+    }
+
+    private static String R(String key) {
+      return JNLPRuntime.getMessage(key);
     }

     public Certificate getPublisher() {
-        // TODO Auto-generated method stub
-        return null;
+      if (chain.length > 0)
+        return (Certificate)chain[0];
+      return null;
     }

     public Certificate getRoot() {
-        // TODO Auto-generated method stub
-        return null;
+      if (chain.length > 0)
+        return (Certificate)chain[chain.length - 1];
+      return null;
     }

     public boolean getRootInCacerts() {
-        // TODO Auto-generated method stub
-        return false;
+	try {
+	  KeyTool kt = new KeyTool();
+          return kt.checkCacertsForCertificate(getRoot());
+        } catch (Exception e) {
+	}
+	return false;
     }

     public boolean hasSigningIssues() {
-        // TODO Auto-generated method stub
         return false;
     }

     public boolean noSigningIssues() {
-        // TODO Auto-generated method stub
         return false;
     }
--- a/rt/net/sourceforge/jnlp/security/MoreInfoPane.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/MoreInfoPane.java	Tue Jan 20 18:37:40 2009 -0500
@@ -53,7 +53,6 @@
 import javax.swing.SwingConstants;

 import net.sourceforge.jnlp.runtime.JNLPRuntime;
-import net.sourceforge.jnlp.tools.CertVerifier;

 /**
  * Provides the UI for the More Info dialog. This dialog shows details about an
--- a/rt/net/sourceforge/jnlp/security/SecurityDialogUI.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/SecurityDialogUI.java	Tue Jan 20 18:37:40 2009 -0500
@@ -54,7 +54,6 @@
 import javax.swing.plaf.OptionPaneUI;

 import net.sourceforge.jnlp.runtime.JNLPRuntime;
-import net.sourceforge.jnlp.tools.CertVerifier;

 /**
  * Provides a base for JNLP warning dialogs.
--- a/rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java	Tue Jan 20 18:37:40 2009 -0500
@@ -38,7 +38,6 @@
 package net.sourceforge.jnlp.security;

 import net.sourceforge.jnlp.JNLPFile;
-import net.sourceforge.jnlp.tools.CertVerifier;

 import java.awt.*;
 import javax.swing.*;
--- a/rt/net/sourceforge/jnlp/security/SingleCertInfoPane.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/SingleCertInfoPane.java	Tue Jan 20 18:37:40 2009 -0500
@@ -45,7 +45,6 @@
 import javax.swing.tree.DefaultMutableTreeNode;
 import javax.swing.tree.TreeSelectionModel;

-import net.sourceforge.jnlp.tools.CertVerifier;

 public class SingleCertInfoPane extends CertsInfoPane {
--- a/rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java	Tue Jan 20 18:37:40 2009 -0500
@@ -144,9 +144,6 @@
      * @param checkOnly Whether to "check only" i.e. no user prompt, or to prompt for permission
      */
     public void checkServerTrusted(X509Certificate[] chain, String authType, boolean checkOnly) throws CertificateException {
-        for (int i=0; i < chain.length; i++)
-            System.err.println("checkServerTrusted chain@" + i + " = " + chain[i]);
-
         try {
             checkAllManagers(chain, authType);
         } catch (CertificateException ce) {
--- a/rt/net/sourceforge/jnlp/security/viewer/CertificatePane.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/security/viewer/CertificatePane.java	Tue Jan 20 18:37:40 2009 -0500
@@ -63,10 +63,10 @@
 import javax.swing.UIManager;
 import javax.swing.table.DefaultTableModel;

+import net.sourceforge.jnlp.security.CertVerifier;
 import net.sourceforge.jnlp.security.SecurityDialogUI;
 import net.sourceforge.jnlp.security.SecurityUtil;
 import net.sourceforge.jnlp.security.SecurityWarningDialog;
-import net.sourceforge.jnlp.tools.CertVerifier;
 import net.sourceforge.jnlp.tools.KeyTool;

 //import java.security.KeyStoreException;
--- a/rt/net/sourceforge/jnlp/tools/CertVerifier.java	Tue Jan 20 12:43:31 2009 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,92 +0,0 @@
-/* VariableX509TrustManager.java
-   Copyright (C) 2009 Red Hat, Inc.
-
-This file is part of IcedTea.
-
-IcedTea is free software; you can redistribute it and/or
-modify it under the terms of the GNU General Public License as published by
-the Free Software Foundation, version 2.
-
-IcedTea is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with IcedTea; see the file COPYING.  If not, write to
-the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-02110-1301 USA.
-
-Linking this library statically or dynamically with other modules is
-making a combined work based on this library.  Thus, the terms and
-conditions of the GNU General Public License cover the whole
-combination.
-
-As a special exception, the copyright holders of this library give you
-permission to link this library with independent modules to produce an
-executable, regardless of the license terms of these independent
-modules, and to copy and distribute the resulting executable under
-terms of your choice, provided that you also meet, for each linked
-independent module, the terms and conditions of the license of that
-module.  An independent module is a module which is not derived from
-or based on this library.  If you modify this library, you may extend
-this exception to your version of the library, but you are not
-obligated to do so.  If you do not wish to do so, delete this
-exception statement from your version.
-*/
-
-package net.sourceforge.jnlp.tools;
-
-import java.security.cert.CertPath;
-import java.security.cert.Certificate;
-import java.util.ArrayList;
-
-/**
- * An interface that provides various details about a certificate
- */
-
-public interface CertVerifier {
-
-    /**
-     * Return if the publisher is already trusted
-     */
-    public boolean getAlreadyTrustPublisher();
-
-    /**
-     * Return if the root is in CA certs
-     */
-    public boolean getRootInCacerts();
-
-    /**
-     * Return if there are signing issues with the certificate(s) being veried
-     */
-    public boolean hasSigningIssues();
-
-    /**
-     * Return if there are no signing issues with this cert (!hasSigningIssues())
-     */
-    public boolean noSigningIssues();
-
-    /**
-     * Get the details regarding issue(s) with this certificate
-     */
-    public ArrayList<String> getDetails();
-
-    /**
-     * Return a valid certificate path to this certificate(s) being verified
-     * @return The CertPath
-     */
-    public ArrayList<CertPath> getCerts();
-
-    /**
-     * Returns the application's publisher's certificate.
-     */
-    public abstract Certificate getPublisher();
-
-    /**
-     * Returns the application's root's certificate. This
-     * may return the same certificate as getPublisher() in
-     * the event that the application is self signed.
-     */
-    public abstract Certificate getRoot();
-}
\ No newline at end of file
--- a/rt/net/sourceforge/jnlp/tools/KeyTool.java	Tue Jan 20 12:43:31 2009 -0500
+++ b/rt/net/sourceforge/jnlp/tools/KeyTool.java	Tue Jan 20 18:37:40 2009 -0500
@@ -374,7 +374,6 @@
                 j++;
             }
             //return newChain;
-            System.out.println("newChain's size: " + newChain.length);
             return newChain != null;
         } else {
             throw new Exception("Failed to establish chain from reply");