[SCM] eclipse - Powerful IDE written in java - Debian package. branch, master, updated. debian/3.5.2-7-1-g1d29970
Niels Thykier
nthykier-guest at alioth.debian.org
Fri Oct 15 06:27:51 UTC 2010
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "eclipse - Powerful IDE written in java - Debian package.".
The branch, master has been updated
via 1d299700e6224429722ebab2d551cde2050a7523 (commit)
from cd8f8acdf627f129b2bd0ee58f620c0884162d6b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1d299700e6224429722ebab2d551cde2050a7523
Author: Niels Thykier <niels at thykier.net>
Date: Fri Oct 15 08:25:36 2010 +0200
Imported debdiffs from TJ and Didier Roche.
[ TJ ] Backported fix for finding root CA in keystore rather than from JAR.
[ Didier Roche ] no appmenu for eclipse (thanks bratsche)
LP: #655833
LP: #613119
-----------------------------------------------------------------------
Summary of changes:
debian/changelog | 15 ++++
debian/extra/eclipse | 3 +
debian/patches/bp-osgi-ignore-root-CA.patch | 73 ++++++++++++++++++++
debian/patches/series | 1 +
.../service/security/KeyStoreTrustEngine.java | 37 ++++++----
5 files changed, 115 insertions(+), 14 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 331ea47..a921738 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+eclipse (3.5.2-8) UNRELEASED; urgency=low
+
+ [ Niels Thykier ]
+ * Imported debdiffs from TJ and Didier Roche (see below).
+
+ [ TJ ]
+ * Backported fix for finding root CA in keystore rather than from
+ JAR. (LP: #655833)
+
+ [ Didier Roche ]
+ * debian/extra/eclipse:
+ - no appmenu for eclipse (thanks bratsche) (LP: #613119)
+
+ -- Niels Thykier <niels at thykier.net> Fri, 15 Oct 2010 08:16:30 +0200
+
eclipse (3.5.2-7) unstable; urgency=low
* Install the NEWS file in eclipse-platform instead of eclipse,
diff --git a/debian/extra/eclipse b/debian/extra/eclipse
index 9b20395..ea4fe29 100644
--- a/debian/extra/eclipse
+++ b/debian/extra/eclipse
@@ -5,6 +5,9 @@
# https://bugs.launchpad.net/bugs/458703
export GDK_NATIVE_WINDOWS=true
+# Eclipse doesn't work with Ubuntu appmenu
+export UBUNTU_MENUPROXY=0
+
export MOZILLA_FIVE_HOME="@XULRUNNER_PATH@"
ECLIPSE=/usr/lib/eclipse/eclipse
diff --git a/debian/patches/bp-osgi-ignore-root-CA.patch b/debian/patches/bp-osgi-ignore-root-CA.patch
new file mode 100644
index 0000000..d2069ac
--- /dev/null
+++ b/debian/patches/bp-osgi-ignore-root-CA.patch
@@ -0,0 +1,73 @@
+Description: Ignore root CA in signed jar, find in cacerts.
+Author: Thomas Watson <tjwatson at us.ibm.com>
+Bug: https://bugs.launchpad.net/ubuntu/+source/eclipse/+bug/655833
+Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=309059
+Applied-Upstream: yes
+
+--- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
++++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+@@ -101,27 +101,19 @@
+
+ try {
+ Certificate rootCert = null;
+-
+ KeyStore store = getKeyStore();
+ for (int i = 0; i < certChain.length; i++) {
+ if (certChain[i] instanceof X509Certificate) {
+- if (i == certChain.length - 1) { //this is the last certificate in the chain
++ if (i == certChain.length - 1) {
++ // this is the last certificate in the chain
++ // determine if we have a valid root
+ X509Certificate cert = (X509Certificate) certChain[i];
+ if (cert.getSubjectDN().equals(cert.getIssuerDN())) {
+- certChain[i].verify(certChain[i].getPublicKey());
+- rootCert = certChain[i]; // this is a self-signed certificate
++ cert.verify(cert.getPublicKey());
++ rootCert = cert; // this is a self-signed certificate
+ } else {
+ // try to find a parent, we have an incomplete chain
+- synchronized (store) {
+- for (Enumeration e = store.aliases(); e.hasMoreElements();) {
+- Certificate nextCert = store.getCertificate((String) e.nextElement());
+- if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+- cert.verify(nextCert.getPublicKey());
+- rootCert = nextCert;
+- break;
+- }
+- }
+- }
++ return findAlternativeRoot(cert, store);
+ }
+ } else {
+ X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1];
+@@ -138,6 +130,10 @@
+ if (alias != null)
+ return store.getCertificate(alias);
+ }
++ // if we have reached the end and the last cert is not found to be a valid root CA
++ // then we need to back off the root CA and try to find an alternative
++ if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
++ return findAlternativeRoot((X509Certificate) certChain[i - 1], store);
+ }
+ }
+ } catch (KeyStoreException e) {
+@@ -149,6 +145,19 @@
+ return null;
+ }
+
++ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException {
++ synchronized (store) {
++ for (Enumeration e = store.aliases(); e.hasMoreElements();) {
++ Certificate nextCert = store.getCertificate((String) e.nextElement());
++ if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
++ cert.verify(nextCert.getPublicKey());
++ return nextCert;
++ }
++ }
++ return null;
++ }
++ }
++
+ protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException {
+ if (isReadOnly())
+ throw new IOException(SignedContentMessages.Default_Trust_Read_Only);
diff --git a/debian/patches/series b/debian/patches/series
index 7a10dc6..34831f5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ build-arch.patch
sat4j-version.patch
add-o.e.equinox.concurrent.patch
pdebuild-workspace.patch
+bp-osgi-ignore-root-CA.patch
diff --git a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
index cd3ca9e..96cd4f6 100644
--- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
@@ -101,27 +101,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
try {
Certificate rootCert = null;
-
KeyStore store = getKeyStore();
for (int i = 0; i < certChain.length; i++) {
if (certChain[i] instanceof X509Certificate) {
- if (i == certChain.length - 1) { //this is the last certificate in the chain
+ if (i == certChain.length - 1) {
+ // this is the last certificate in the chain
+ // determine if we have a valid root
X509Certificate cert = (X509Certificate) certChain[i];
if (cert.getSubjectDN().equals(cert.getIssuerDN())) {
- certChain[i].verify(certChain[i].getPublicKey());
- rootCert = certChain[i]; // this is a self-signed certificate
+ cert.verify(cert.getPublicKey());
+ rootCert = cert; // this is a self-signed certificate
} else {
// try to find a parent, we have an incomplete chain
- synchronized (store) {
- for (Enumeration e = store.aliases(); e.hasMoreElements();) {
- Certificate nextCert = store.getCertificate((String) e.nextElement());
- if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
- cert.verify(nextCert.getPublicKey());
- rootCert = nextCert;
- break;
- }
- }
- }
+ return findAlternativeRoot(cert, store);
}
} else {
X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1];
@@ -138,6 +130,10 @@ public class KeyStoreTrustEngine extends TrustEngine {
if (alias != null)
return store.getCertificate(alias);
}
+ // if we have reached the end and the last cert is not found to be a valid root CA
+ // then we need to back off the root CA and try to find an alternative
+ if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
+ return findAlternativeRoot((X509Certificate) certChain[i - 1], store);
}
}
} catch (KeyStoreException e) {
@@ -149,6 +145,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
return null;
}
+ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException {
+ synchronized (store) {
+ for (Enumeration e = store.aliases(); e.hasMoreElements();) {
+ Certificate nextCert = store.getCertificate((String) e.nextElement());
+ if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+ cert.verify(nextCert.getPublicKey());
+ return nextCert;
+ }
+ }
+ return null;
+ }
+ }
+
protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException {
if (isReadOnly())
throw new IOException(SignedContentMessages.Default_Trust_Read_Only);
hooks/post-receive
--
eclipse - Powerful IDE written in java - Debian package.
More information about the pkg-java-commits
mailing list