[RFC][icedtea-web] Major rework of JarCertVerifier
ddadacha at redhat.com
Tue Aug 21 13:26:53 PDT 2012
For the last few months, I've been working on completely redoing JarCertVerifier to allow for the ability to handle multiple signers
and loosen the restriction ITW has on applets requiring to be completely signed. So naturally, this is a pretty big patch. =)
This patch is heavily *untested*. I'm only posting it to get a head start on review and because my term's going to end on the 24th. :(
I am trying to write up tests now and make sure that this acts sanely. So if you find horrible mistakes that I've overlooked, please
let me know!
The very long ChangeLog:
+2012-08-21 Danesh Dadachanji <ddadacha at redhat.com>
+ Rework JarCertVerifier certificate management to handle multiple
+ certificates and use different algorithms to verify JNLPs and Applets.
+ * netx/net/sourceforge/jnlp/resources/Messages.properties:
+ Removed SHasUnsignedEntry.
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
+ Set JCV instance to final but uninitialized.
+ (JNLPClassLoader): Initialized JCV with runtime dependent verifier.
+ (addNewJar), (initializeResources), (verifySignedJNLP):
+ Replaced use of local JarCertVerifier variable with the instance variable.
+ Added calls to isFullySigned wherever signer verification is done.
+ (activateJars): No longer verifies nested jars. These receive the same
+ security permissions as their parent jar, regardless of the nested
+ jar's signing.
+ (checkTrustWithUser): Removed JCV param, reimplemented to wrap around
+ JCV's checkTrustWithUser method.
+ (verifyJars): Removed.
+ * netx/net/sourceforge/jnlp/security/AppVerifier.java:
+ New strategy pattern interface that specifies verification methods
+ required regardless of the runtime.
+ * netx/net/sourceforge/jnlp/security/JNLPAppVerifier.java:
+ * netx/net/sourceforge/jnlp/security/PluginAppVerifier.java:
+ New strategy pattern classes used to determine which algorithms to use
+ depending on the runtime.
+ * netx/net/sourceforge/jnlp/security/CertVerifier.java:
+ Added CertPath param to all the methods.
+ (noSigningIssues): Removed.
+ * netx/net/sourceforge/jnlp/security/CertWarningPane.java:
+ * netx/net/sourceforge/jnlp/security/CertsInfoPane.java:
+ * netx/net/sourceforge/jnlp/security/MoreInfoPane.java:
+ Updated calls to the verifier's methods with the new CertPath param. All
+ are set to null so far.
+ * netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java:
+ Added CertPath param to all the methods. It's mostly ignored though.
+ * netx/net/sourceforge/jnlp/tools/CertInformation.java:
+ New class to represent all the information about a signer with
+ with respect to all of the entries it has signed for the app.
+ * netx/net/sourceforge/jnlp/tools/JarCertVerifier.java:
+ Completely reworked to use CertInformation and AppVerifier functionality.
+ (getCertPath), (getCertInformation), (checkTrustWithUser),
+ (getJarSignableEntries), (getTotalJarEntries): New method.
+ (noSigningIssues), (anyJarsSigned): Removed.
+ (verifyResult): Renamed enum to VerifyResult
+ (JarCertVerifier): New constructor used to set AppVerifier instance.
+ (getAlreadyTrustPublisher), (getRootInCacerts): Now uses strategy pattern.
+ (hasSigningIssues), (getDetails), (checkTrustedCerts), (checkCertUsage):
+ Now uses cert info class.
+ (getCerts): Renamed to getCertsList.
+ (isFullySignedByASingleCert): renamed to isFullySigned and to use
+ the strategy pattern.
+ (add): New public method that resets some instance vars and
+ calls verifyJars.
+ (verifyJars): Modifier changed to private, above method should be used.
+ Also skips jars that have been verified before.
+ (verifyJar): Removed actual verification code, only reads jars into the JVM.
+ (verifyJarEntryCerts): New method. Does actual verification of jars.
+ (getPublisher), (getRoot): Use hacky currentlyUsed variable as the signer.
+ * tests/netx/unit/net/sourceforge/jnlp/tools/VerifyJarEntryCertsTest.java:
+ Unit test JCV's verifyJarEntryCerts method.
+ * tests/test-extensions/net/sourceforge/jnlp/tools/CodeSignerCreator.java:
+ Unit test helper that creates CodeSigner instances.
Here's a more informal overview of the changes that I hope will help make reviewing easier. I've listed them in an order that, to me,
makes it easier to understand all the heavy changes in JCV itself. The ChangeLog is a bit more specific regarding various method
changes so refer to that too.
* Strategy pattern classes *
These are used to determine certain verification algorithms. For example, figuring out if the publisher is already trusted. JNLPs can
just be checked for a publisher that is trusted and has signed every entry in the app. Applets on the other hand can have different
signers across jars so I had to iterate over jars and figure out if they were individually trusted by one signer. These are used to
make decisions based on runtime.
* The information storage class *
All signers that have signed even one entry of any jar brought in by the app are given a CertInfo instance. This class then maintains
all the info needed regarding that signer. Note that it does not actually change the signer's properties, it just keeps track of them!
Things like the number of entries it has signed across a jar, whether or not it is expired/expiring/not yet valid etc. JCV had a ton of
instance vars for things like this. I have moved all of those into this class and kept track of them by the signer.
* JCV fun *
To verify a new list of jars, the order of the JCV method calls are:
1. add: The public method called by JNLPClassLoader to tell this instance to verify new jars
2. verifyJars: The private method that keeps track of the jars that have been or are being verified
3. verifyJar: Pulls in the jar from the FS into the JVM
4. verifyJarEntryCerts: The method that does all the verifying of this individual jar. It sets up/updates a lot (but not all) of the
CertInfo flags for each particular signer.
The fourth method is where a _lot_ of the magic happens. Fortunately, it's the one method I wrote unit tests for earlier on! See below.
Keep in mind, it first goes through all the entries and sorts them out, storing info in a map local to its scope. It then starts
updating the instance var info map.
See the ChangeLog for a lot of the other methods. One thing to note is some of the methods that use the CertPath instance var,
currentlyUsed. See the reasons in the "UI class changes" section below.
* Classloader changes *
This has 3 updates:
1. Updated it to handle a global JCV rather than creating instances on its own.
2. Made it use the strategy pattern to create the global JCV.
3. Updated the checkTrustWithUser method to wrap around JCV's one.
* UI class changes *
My original idea for dialogs was to have them store their respective CertPath that they were looking at. However, there are so many
coupled links between their super classes. Replacing this JCV instance var with a CertPath is a task for which I no longer have time.
:( Instead, I've created a currentlyUsed CertPath instance var in JCV that is set before each dialog is called, telling them which one
is used. However, I've left the parameter in place for things like getDetails/getRoot/getPublisher and simply passed in null in the
above few calls. In a future patch, we can then remove currentlyUsed and go straight for the CertPath passed through.
* General CertVerifier changes *
Added CertPath params to all the methods.
* Unit Tests: Checks verifying a _single_ jar *
The tests I have so far. Trying to write more!
* Other minor changes *
Removed a symbol that was no longer being used.
So again, there are most likely still bugs in this patch. However, if I could get feedback on it, that would be great! Thanks in advance.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 114275 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120821/d536c4b3/jcv-major-rework-01.patch
More information about the distro-pkg-dev