[SCM] eclipse - Powerful IDE written in java - Debian package. branch, lucid, updated. 6825b436e148d1071f0b779f086d41109e95b499
Benjamin Drung
bdrung-guest at alioth.debian.org
Tue Oct 19 23:07:17 UTC 2010
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "eclipse - Powerful IDE written in java - Debian package.".
The branch, lucid has been updated
via 6825b436e148d1071f0b779f086d41109e95b499 (commit)
via 04836a0e0ddc4842d17e9d2efcb3c667f37229fd (commit)
from c83804cd06d9cdf403b487821b0c141cb2a76459 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6825b436e148d1071f0b779f086d41109e95b499
Author: Benjamin Drung <bdrung at ubuntu.com>
Date: Wed Oct 20 01:03:32 2010 +0200
Backported fix for finding root CA in keystore rather than from JAR. (LP: #655833)
commit 04836a0e0ddc4842d17e9d2efcb3c667f37229fd
Author: Benjamin Drung <bdrung at ubuntu.com>
Date: Wed Oct 20 01:03:18 2010 +0200
Add git-buildpackage configuration.
-----------------------------------------------------------------------
Summary of changes:
debian/changelog | 7 ++
debian/gbp.conf | 6 ++
debian/patches/bp-osgi-ignore-root-CA.patch | 77 ++++++++++++++++++++
debian/patches/series | 1 +
.../service/security/KeyStoreTrustEngine.java | 37 ++++++----
5 files changed, 114 insertions(+), 14 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index dcc123c..9a212f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+eclipse (3.5.2-2ubuntu4.3) lucid-proposed; urgency=low
+
+ * Backported fix for finding root CA in keystore rather than from JAR.
+ (LP: #655833)
+
+ -- Thomas Watson <ubuntu at tjworld.net> Wed, 20 Oct 2010 00:58:03 +0200
+
eclipse (3.5.2-2ubuntu4.2) lucid-proposed; urgency=low
* Backported fix for poor tooltip colors with certain themes. (LP: #540332)
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..50c0367
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,6 @@
+[DEFAULT]
+compression = bzip2
+debian-branch = lucid
+
+[git-dch]
+meta = True
diff --git a/debian/patches/bp-osgi-ignore-root-CA.patch b/debian/patches/bp-osgi-ignore-root-CA.patch
new file mode 100644
index 0000000..ec0d4e0
--- /dev/null
+++ b/debian/patches/bp-osgi-ignore-root-CA.patch
@@ -0,0 +1,77 @@
+Description: If the root CA in a signed jar is invalid, check the cacerts
+ for an alternative/newer root CA.
+ .
+ This fixes the issue where signed jars has root CAs using MD2withRSA or
+ other weak signatures that are now automatically rejected by e.g. OpenJDK.
+Author: Thomas Watson <tjwatson at us.ibm.com>
+Bug-Ubuntu: https://launchpad.net/bugs/655833
+Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=309059
+Applied-Upstream: yes
+
+--- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
++++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+@@ -101,27 +101,19 @@
+
+ try {
+ Certificate rootCert = null;
+-
+ KeyStore store = getKeyStore();
+ for (int i = 0; i < certChain.length; i++) {
+ if (certChain[i] instanceof X509Certificate) {
+- if (i == certChain.length - 1) { //this is the last certificate in the chain
++ if (i == certChain.length - 1) {
++ // this is the last certificate in the chain
++ // determine if we have a valid root
+ X509Certificate cert = (X509Certificate) certChain[i];
+ if (cert.getSubjectDN().equals(cert.getIssuerDN())) {
+- certChain[i].verify(certChain[i].getPublicKey());
+- rootCert = certChain[i]; // this is a self-signed certificate
++ cert.verify(cert.getPublicKey());
++ rootCert = cert; // this is a self-signed certificate
+ } else {
+ // try to find a parent, we have an incomplete chain
+- synchronized (store) {
+- for (Enumeration e = store.aliases(); e.hasMoreElements();) {
+- Certificate nextCert = store.getCertificate((String) e.nextElement());
+- if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+- cert.verify(nextCert.getPublicKey());
+- rootCert = nextCert;
+- break;
+- }
+- }
+- }
++ return findAlternativeRoot(cert, store);
+ }
+ } else {
+ X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1];
+@@ -138,6 +130,10 @@
+ if (alias != null)
+ return store.getCertificate(alias);
+ }
++ // if we have reached the end and the last cert is not found to be a valid root CA
++ // then we need to back off the root CA and try to find an alternative
++ if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
++ return findAlternativeRoot((X509Certificate) certChain[i - 1], store);
+ }
+ }
+ } catch (KeyStoreException e) {
+@@ -149,6 +145,19 @@
+ return null;
+ }
+
++ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException {
++ synchronized (store) {
++ for (Enumeration e = store.aliases(); e.hasMoreElements();) {
++ Certificate nextCert = store.getCertificate((String) e.nextElement());
++ if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
++ cert.verify(nextCert.getPublicKey());
++ return nextCert;
++ }
++ }
++ return null;
++ }
++ }
++
+ protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException {
+ if (isReadOnly())
+ throw new IOException(SignedContentMessages.Default_Trust_Read_Only);
diff --git a/debian/patches/series b/debian/patches/series
index a9df4b5..005bc7b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ ecj-gccmain-java.patch
fix-help-contents.patch
fix-tooltip-color.patch
bp-hover-visability.patch
+bp-osgi-ignore-root-CA.patch
diff --git a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
index cd3ca9e..96cd4f6 100644
--- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
@@ -101,27 +101,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
try {
Certificate rootCert = null;
-
KeyStore store = getKeyStore();
for (int i = 0; i < certChain.length; i++) {
if (certChain[i] instanceof X509Certificate) {
- if (i == certChain.length - 1) { //this is the last certificate in the chain
+ if (i == certChain.length - 1) {
+ // this is the last certificate in the chain
+ // determine if we have a valid root
X509Certificate cert = (X509Certificate) certChain[i];
if (cert.getSubjectDN().equals(cert.getIssuerDN())) {
- certChain[i].verify(certChain[i].getPublicKey());
- rootCert = certChain[i]; // this is a self-signed certificate
+ cert.verify(cert.getPublicKey());
+ rootCert = cert; // this is a self-signed certificate
} else {
// try to find a parent, we have an incomplete chain
- synchronized (store) {
- for (Enumeration e = store.aliases(); e.hasMoreElements();) {
- Certificate nextCert = store.getCertificate((String) e.nextElement());
- if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
- cert.verify(nextCert.getPublicKey());
- rootCert = nextCert;
- break;
- }
- }
- }
+ return findAlternativeRoot(cert, store);
}
} else {
X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1];
@@ -138,6 +130,10 @@ public class KeyStoreTrustEngine extends TrustEngine {
if (alias != null)
return store.getCertificate(alias);
}
+ // if we have reached the end and the last cert is not found to be a valid root CA
+ // then we need to back off the root CA and try to find an alternative
+ if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
+ return findAlternativeRoot((X509Certificate) certChain[i - 1], store);
}
}
} catch (KeyStoreException e) {
@@ -149,6 +145,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
return null;
}
+ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException {
+ synchronized (store) {
+ for (Enumeration e = store.aliases(); e.hasMoreElements();) {
+ Certificate nextCert = store.getCertificate((String) e.nextElement());
+ if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+ cert.verify(nextCert.getPublicKey());
+ return nextCert;
+ }
+ }
+ return null;
+ }
+ }
+
protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException {
if (isReadOnly())
throw new IOException(SignedContentMessages.Default_Trust_Read_Only);
hooks/post-receive
--
eclipse - Powerful IDE written in java - Debian package.
More information about the pkg-java-commits
mailing list