[RFC][icedtea-web] Fix JarSigner to check that cert start dates have passed
ddadacha at redhat.com
Fri Mar 30 14:04:32 PDT 2012
On 30/03/12 04:20 PM, Deepak Bhole wrote:
> * Danesh Dadachanji<ddadacha at redhat.com> [2012-03-30 16:02]:
>> Currently, JarSigner never sets notYetValidCert to true, the
>> notBefore date is never checked when sorting out the certificates.
>> If it were true, the certificate would be considered as having
>> signing issues and all the unverified prompts would start
>> triggering. Attached is a patch to fix this, everything else is
>> already taken care of WRT notYetValidCert being checked in other
>> +2012-03-30 Danesh Dadachanji<ddadacha at redhat.com>
>> + Certificate start dates are not being checked, they are still verified
>> + even if the date has yet not been reached.
>> + * netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): If the start
>> + date is in the future, set notYetValidCert to true.
>> Okay for HEAD? Thoughts on backporting? I don't think this should
>> wait to be backported since currently it is verifying certificates
>> it should not be letting through, misleading users when dialogs
> I think this one is fine for 1.1 and 1.2 in addition to HEAD.
Bah noticed a bug in the patch, if the cert expires in 6 months or less,
that flag is set and the notYetValidCert isn't. I tested it with a 365
day valid cert the first time around. :S
Updated patch in attachment, ChangeLog is the same. Thanks to Omair's
comment, I did a slightly more extensive search on where notBefore() is
called as well as my original search for "notYetValidCert", everything
looks logical now.
I've now tested this with:
- a cert that has notBefore=$YESTERDAY, notAfter=$TOMORROW: Both "not
yet valid" and "expiring in 6 months" warnings show in More Info dialog.
- a cert that has notBefore=$YESTERDAY, notAfter=$NEXT_YEAR: Just "not
yet valid" warning shows in More Info dialog.
Is there anything else I should test? /me can't think of anything off
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1162 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120330/f0b07da6/not-yet-valid-certs-02.patch
More information about the distro-pkg-dev