diff options
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | netx/net/sourceforge/jnlp/security/CertificateUtils.java | 39 |
3 files changed, 43 insertions, 5 deletions
@@ -1,3 +1,11 @@ +2011-08-09 Deepak Bhole <[email protected]> + + PR771: IcedTea-Web certificate verification code does not use the right + API + * netx/net/sourceforge/jnlp/security/CertificateUtils.java + (inKeyStores): Use Certificate.verify to correctly verify a certificate + against a public key in the store. + 2011-08-03 Saad Mohammad <[email protected]> * netx/net/sourceforge/jnlp/JNLPMatcher.java: @@ -16,6 +16,7 @@ New in release 1.2 (2011-XX-XX): - PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow Common - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up + - PR771: IcedTea-Web certificate verification code does not use the right API New in release 1.1 (2011-XX-XX): * Security updates diff --git a/netx/net/sourceforge/jnlp/security/CertificateUtils.java b/netx/net/sourceforge/jnlp/security/CertificateUtils.java index af48a1e..fb7ecef 100644 --- a/netx/net/sourceforge/jnlp/security/CertificateUtils.java +++ b/netx/net/sourceforge/jnlp/security/CertificateUtils.java @@ -43,16 +43,20 @@ import java.io.FileInputStream; import java.io.IOException; import java.io.PrintStream; import java.math.BigInteger; +import java.security.InvalidKeyException; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SignatureException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.util.Enumeration; import java.util.Random; import net.sourceforge.jnlp.runtime.JNLPRuntime; - import sun.misc.BASE64Encoder; import sun.security.provider.X509Factory; @@ -122,11 +126,36 @@ public class CertificateUtils { public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) { for (int i = 0; i < keyStores.length; i++) { try { - if (keyStores[i].getCertificateAlias(c) != null) { - if (JNLPRuntime.isDebug()) { - System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts"); + // Check against all certs + Enumeration<String> aliases = keyStores[i].aliases(); + while (aliases.hasMoreElements()) { + String alias = aliases.nextElement(); + try { + // Verify against this entry + c.verify(keyStores[i].getCertificate(alias).getPublicKey()); + + if (JNLPRuntime.isDebug()) { + System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts"); + } + + // If we got here, it means verification succeeded. Return true. + return true; + } catch (NoSuchAlgorithmException nsae) { + // Unsupported signature algorithm + // Consider non-match and keep going + } catch (InvalidKeyException ike) { + // Incorrect/corrupt key + // Consider non-match and keep going + } catch (NoSuchProviderException nspe) { + // No default provider + // Consider non-match and keep going + } catch (SignatureException se) { + // Signature error + // Consider non-match and keep going + } catch (CertificateException ce) { + // Encoding error + // Consider non-match and keep going } - return true; } } catch (KeyStoreException e) { e.printStackTrace(); |