diff options
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | netx/net/sourceforge/jnlp/tools/JarSigner.java | 8 |
3 files changed, 16 insertions, 1 deletions
@@ -1,3 +1,11 @@ +2011-08-11 Danesh Dadachanji <[email protected]> + + PR742: IcedTea-Web checks certs only upto 1 level deep before declaring + them untrusted. + * NEWS: Updated. + * netx/net/sourceforge/jnlp/tools/JarSigner.java: + (checkTrustedCerts): All certs along certPath are now checked for trust. + 2011-08-09 Deepak Bhole <[email protected]> PR771: IcedTea-Web certificate verification code does not use the right @@ -19,6 +19,7 @@ New in release 1.2 (2011-XX-XX): Common - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up - PR771: IcedTea-Web certificate verification code does not use the right API + - PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted. New in release 1.1 (2011-XX-XX): * Security updates diff --git a/netx/net/sourceforge/jnlp/tools/JarSigner.java b/netx/net/sourceforge/jnlp/tools/JarSigner.java index b452dbc..a7d529b 100644 --- a/netx/net/sourceforge/jnlp/tools/JarSigner.java +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java @@ -373,7 +373,13 @@ public class JarSigner implements CertVerifier { alreadyTrustPublisher = CertificateUtils.inKeyStores(publisher, certKeyStores); X509Certificate root = (X509Certificate) getRoot(); KeyStore[] caKeyStores = KeyStores.getCAKeyStores(); - rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores); + // Check entire cert path for a trusted CA + for (Certificate c : certPath.getCertificates()) { + if ((rootInCacerts = CertificateUtils.inKeyStores( + (X509Certificate) c, caKeyStores))) { + break; + } + } } catch (Exception e) { // TODO: Warn user about not being able to // look through their cacerts/trusted.certs |