[RFC][icedtea-web] PR742: Fix checking multiple levels of JAR certs for trust

Danesh Dadachanji ddadacha at redhat.com
Wed Jun 22 14:33:18 PDT 2011

Woops, internal website. Steps are as follows.

1. CA -newca

2. keytool -genkey -alias usercert -keyalg RSA -keysize 2048 -keystore store

3. keytool -certreq -alias usercert -keyalg RSA -file request.pem 
-keystore store

4. openssl ca -policy policy_anything -extensions my_v3_ext -out 
usercert.pem -infiles request.pem

5. Edit usercert.pem to remove everything except what's in between the 
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines (and 
keep those 2 lines as well)

6. Open demoCA/cacert.pem, copy everything between and including the 
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, and 
paste it at the end of usercert.pem after the -----END CERTIFICATE----- line

7. After all is done, usercert.pem should look something like:

8. keytool -import -alias usercert -keystore store -file usercert.pem

9. jarsigner -keystore store -signedjar TestApplet-signed.jar 
TestApplet.jar usercert

On 22/06/11 05:06 PM, Danesh Dadachanji wrote:
> Hello,
> Here's a patch for the JAR side of PR742, checking the cert path of a
> JAR cert for trusted CAs. Here's how to make a 2 chain certificate for
> testing purposes - http://torweb.toronto.redhat.com/~dbhole/steps
> You have to add a modified version of demoCA/cacert.pem (follow step 6
> but save the copied text) in the trusted CA certs list through
> itweb-settings.
> ChangeLog
> +2011-06-22 Danesh Dadachanji <ddadacha at redhat.com>
> + * netx/net/sourceforge/jnlp/tools/JarSigner.java: Changed
> checkTrustedCerts to check through entire certPath for trusted CAs.
> Regards,
> Danesh

More information about the distro-pkg-dev mailing list