Fix PR1049: Empty jars are handled correctly during signature validation

author: Saad Mohammad <[email protected]> 2012-08-01 16:50:17 -0400
committer: Saad Mohammad <[email protected]> 2012-08-01 16:50:17 -0400
commit: cbaa7e330838b4b1d14dba1fe9784425a4cd4b82 (patch)
tree: b098c85c5872b7c2f219399fa630dcb098974caa /netx/net/sourceforge/jnlp
parent: de708f50feee964a473f337219498cde4b1a2904 (diff)
2 files changed, 16 insertions, 1 deletions
diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
index 86eda20..c0c3762 100644
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
@@ -650,7 +650,7 @@ public class JNLPClassLoader extends URLClassLoader {
                     file.setSignedJNLPAsMissing();
                 
                 //user does not trust this publisher
-                if (!jcv.getAlreadyTrustPublisher()) {
+                if (!jcv.getAlreadyTrustPublisher() && !jcv.isTriviallySigned()) {
                     checkTrustWithUser(jcv);
                 } else {
                     /**
diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
index 4e9757d..e9ba2fb 100644
--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
@@ -103,6 +103,16 @@ public class JarCertVerifier implements CertVerifier {
 
     private int totalSignableEntries = 0;
 
+    /** Whether a signable entry was found within jars (jars with content more than just META-INF/*) */
+    private boolean triviallySigned = false;
+
+    /**
+     * Return true if there are signable entries in the jars, otherwise false
+     */
+    public boolean isTriviallySigned() {
+        return triviallySigned;
+    }
+
     /* (non-Javadoc)
      * @see net.sourceforge.jnlp.tools.CertVerifier2#getAlreadyTrustPublisher()
      */
@@ -167,6 +177,9 @@ public class JarCertVerifier implements CertVerifier {
      */
     public boolean isFullySignedByASingleCert() {
 
+        if (triviallySigned)
+            return true;
+
         for (CertPath cPath : certs.keySet()) {
             // If this cert has signed everything, return true
             if (certs.get(cPath) == totalSignableEntries)
@@ -197,6 +210,7 @@ public class JarCertVerifier implements CertVerifier {
 
                 String localFile = jarFile.getAbsolutePath();
                 verifyResult result = verifyJar(localFile);
+                triviallySigned = false;
 
                 if (result == verifyResult.UNSIGNED) {
                     unverifiedJars.add(localFile);
@@ -205,6 +219,7 @@ public class JarCertVerifier implements CertVerifier {
                     verifiedJars.add(localFile);
                 } else if (result == verifyResult.SIGNED_OK) {
                     verifiedJars.add(localFile);
+                    triviallySigned = totalSignableEntries <= 0 && certs.size() <= 0;
                 }
             } catch (Exception e) {
                 // We may catch exceptions from using verifyJar()
author	Saad Mohammad <[email protected]>	2012-08-01 16:50:17 -0400
committer	Saad Mohammad <[email protected]>	2012-08-01 16:50:17 -0400
commit	cbaa7e330838b4b1d14dba1fe9784425a4cd4b82 (patch)
tree	b098c85c5872b7c2f219399fa630dcb098974caa /netx/net/sourceforge/jnlp
parent	de708f50feee964a473f337219498cde4b1a2904 (diff)