3 files changed, 15 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 20f51eb..1dfb90b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2011-02-01  Omair Majid  <[email protected]>
+
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+	(activateJars): Add the nested jar to ResourceTracker. Use
+	JarSigner.verifyJars instead of JarSigner.verifyJar.
+	* netx/net/sourceforge/jnlp/tools/JarSigner.java
+	(verifyJar): Make private to indicate nothing should be using this
+	directly.
+
 2011-01-24 Deepak Bhole <[email protected]>
 
 	RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
index acadde0..30f1af2 100644
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
@@ -693,7 +693,11 @@ public class JNLPClassLoader extends URLClassLoader {
                                     }
 
                                     JarSigner signer = new JarSigner();
-                                    signer.verifyJar(extractedJarLocation);
+                                    List<JARDesc> jars = new ArrayList<JARDesc>();
+                                    JARDesc jarDesc = new JARDesc(new File(extractedJarLocation).toURL(), null, null, false, false, false, false);
+                                    jars.add(jarDesc);
+                                    tracker.addResource(new File(extractedJarLocation).toURL(), null, null);
+                                    signer.verifyJars(jars, tracker);
 
                                     if (signer.anyJarsSigned() && !signer.getAlreadyTrustPublisher()) {
                                         checkTrustWithUser(signer);
diff --git a/netx/net/sourceforge/jnlp/tools/JarSigner.java b/netx/net/sourceforge/jnlp/tools/JarSigner.java
index 4e246f7..14ca069 100644
--- a/netx/net/sourceforge/jnlp/tools/JarSigner.java
+++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java
@@ -232,7 +232,7 @@ public class JarSigner implements CertVerifier {
 
     }
 
-    public verifyResult verifyJar(String jarName) throws Exception {
+    private verifyResult verifyJar(String jarName) throws Exception {
         boolean anySigned = false;
         boolean hasUnsignedEntry = false;
         JarFile jarFile = null;