[rfc][icedtea-web] Trusted-only manifest attribute

Jiri Vanek jvanek at redhat.com
Thu Mar 20 16:23:10 UTC 2014

On 03/20/2014 04:33 PM, Andrew Azores wrote:
> Hi,
> This implements the Trusted-only manifest attribute [0]. It's quite a simple check compared to some of the other new ones. A test case is included that verifies that specifying the attribute in the manifest, for a signed applet, without specifying the applet security in the applet HTML tag, is not allowed. More test cases will come later on.
> [0] http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#trusted_only

Thanx for prompt work!

Few nits:

+ ...  file.getManifestsAttributes().getAttribute(JNLPFile.ManifestsAttributes.TRUSTED_ONLY);

You do not need to bother with this. There is method for you in file.getManifestsAttributes() which returns  ManifestBoolean (TRUE, FALSE, UNDEFINED) for you.

It will affect also

+        if (!trustedOnly.equalsIgnoreCase("true")) {
+            OutputController.getLogger().log(OutputController.Level.WARNING_ALL, "Trusted Only manifest attribute is not recognized. Continuing anyway.");
+            return;
+        }

Instead of this your code will recieve IllegalArgumentException, And I 'm in favour to let it be thrown.

Instead of MESSAGE_ALL please go on with MESSAGE_DEBUG for those two messages

+        if (!(isFullySigned && SecurityDesc.ALL_PERMISSIONS.equals(desc))) {
+            OutputController.getLogger().log(OutputController.Level.ERROR_ALL,
+                    "Trusted Only manifest attribute is \"true\". Applet is fully signed? " + isFullySigned
+                            + ". Applet is requesting permission level: " + securityType + ". This is fatal.");
+            throw new LaunchException(Translator.R("STrustedOnlyAttributeFailure", Boolean.toString(isFullySigned), securityType));
+        }

I would like to have the
OutputController.getLogger().log(OutputController.Level.ERROR_ALL, as MESSAFE_DEBUG and *before* the if itself.

Also the essafe is bit wierd :)

"Trusted Only manifest attribute is " + trustedOnly +  ". Applet's signing is " + signing + ". Applet is requesting permission level: " + securityType + ".");

Or similar.. moreover everything iexcept the "Applet is fully signed?" :)

Also the LaunchException itself -  Ithink the Boolean.toString(isFullySigned)  nor securityType is necessary. All is known in this state.
So just throw exception with explanation without variables (thay may be in only one state or not? isFullySigned==true and desc!=SecurityDesc.ALL_PERMISSIONS) )

Also maybe different value for null and for "rest" in case of securityType string.

The reproducer is missing javaws parts and is missing correct case. Minimalistical  reproducer should be
- applet signed  trusted-only=false
- applet signed  trusted-only=true
- applet signed  trusted-only=illegal
- applet mixed signatures  trusted-only=false
- applet mixed signatures  trusted-only=false
- applet mixed signatures  trusted-only=illegal
- applet not signed  trusted-only=false
- applet not signed  trusted-only=true
- applet not signed  trusted-only=illegal
- javaws  signed  trusted-only=false
- javaws  signed  trusted-only=true
- javaws  signed  trusted-only=illegal
- javaws  not signed  trusted-only=false
- javaws  not signed  trusted-only=true
- javaws  not signed  trusted-only=illegal

However it is to much work. In long-term it would be nice to have them. For now, just extends your:
applet not signed  trusted-only=true
javaws not signed  trusted-only=true

Also youu do not need custom reproducer for this!  Unsigned applet with manifest is classical simple reproducer :)


More information about the distro-pkg-dev mailing list