This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "eclipse - Powerful IDE written in java - Debian package.".
The branch, master has been updated via 1d299700e6224429722ebab2d551cde2050a7523 (commit) from cd8f8acdf627f129b2bd0ee58f620c0884162d6b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 1d299700e6224429722ebab2d551cde2050a7523 Author: Niels Thykier <ni...@thykier.net> Date: Fri Oct 15 08:25:36 2010 +0200 Imported debdiffs from TJ and Didier Roche. [ TJ ] Backported fix for finding root CA in keystore rather than from JAR. [ Didier Roche ] no appmenu for eclipse (thanks bratsche) LP: #655833 LP: #613119 ----------------------------------------------------------------------- Summary of changes: debian/changelog | 15 ++++ debian/extra/eclipse | 3 + debian/patches/bp-osgi-ignore-root-CA.patch | 73 ++++++++++++++++++++ debian/patches/series | 1 + .../service/security/KeyStoreTrustEngine.java | 37 ++++++---- 5 files changed, 115 insertions(+), 14 deletions(-) diff --git a/debian/changelog b/debian/changelog index 331ea47..a921738 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +eclipse (3.5.2-8) UNRELEASED; urgency=low + + [ Niels Thykier ] + * Imported debdiffs from TJ and Didier Roche (see below). + + [ TJ ] + * Backported fix for finding root CA in keystore rather than from + JAR. (LP: #655833) + + [ Didier Roche ] + * debian/extra/eclipse: + - no appmenu for eclipse (thanks bratsche) (LP: #613119) + + -- Niels Thykier <ni...@thykier.net> Fri, 15 Oct 2010 08:16:30 +0200 + eclipse (3.5.2-7) unstable; urgency=low * Install the NEWS file in eclipse-platform instead of eclipse, diff --git a/debian/extra/eclipse b/debian/extra/eclipse index 9b20395..ea4fe29 100644 --- a/debian/extra/eclipse +++ b/debian/extra/eclipse @@ -5,6 +5,9 @@ # https://bugs.launchpad.net/bugs/458703 export GDK_NATIVE_WINDOWS=true +# Eclipse doesn't work with Ubuntu appmenu +export UBUNTU_MENUPROXY=0 + export MOZILLA_FIVE_HOME="@XULRUNNER_PATH@" ECLIPSE=/usr/lib/eclipse/eclipse diff --git a/debian/patches/bp-osgi-ignore-root-CA.patch b/debian/patches/bp-osgi-ignore-root-CA.patch new file mode 100644 index 0000000..d2069ac --- /dev/null +++ b/debian/patches/bp-osgi-ignore-root-CA.patch @@ -0,0 +1,73 @@ +Description: Ignore root CA in signed jar, find in cacerts. +Author: Thomas Watson <tjwat...@us.ibm.com> +Bug: https://bugs.launchpad.net/ubuntu/+source/eclipse/+bug/655833 +Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=309059 +Applied-Upstream: yes + +--- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java ++++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java +@@ -101,27 +101,19 @@ + + try { + Certificate rootCert = null; +- + KeyStore store = getKeyStore(); + for (int i = 0; i < certChain.length; i++) { + if (certChain[i] instanceof X509Certificate) { +- if (i == certChain.length - 1) { //this is the last certificate in the chain ++ if (i == certChain.length - 1) { ++ // this is the last certificate in the chain ++ // determine if we have a valid root + X509Certificate cert = (X509Certificate) certChain[i]; + if (cert.getSubjectDN().equals(cert.getIssuerDN())) { +- certChain[i].verify(certChain[i].getPublicKey()); +- rootCert = certChain[i]; // this is a self-signed certificate ++ cert.verify(cert.getPublicKey()); ++ rootCert = cert; // this is a self-signed certificate + } else { + // try to find a parent, we have an incomplete chain +- synchronized (store) { +- for (Enumeration e = store.aliases(); e.hasMoreElements();) { +- Certificate nextCert = store.getCertificate((String) e.nextElement()); +- if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) { +- cert.verify(nextCert.getPublicKey()); +- rootCert = nextCert; +- break; +- } +- } +- } ++ return findAlternativeRoot(cert, store); + } + } else { + X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1]; +@@ -138,6 +130,10 @@ + if (alias != null) + return store.getCertificate(alias); + } ++ // if we have reached the end and the last cert is not found to be a valid root CA ++ // then we need to back off the root CA and try to find an alternative ++ if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate) ++ return findAlternativeRoot((X509Certificate) certChain[i - 1], store); + } + } + } catch (KeyStoreException e) { +@@ -149,6 +145,19 @@ + return null; + } + ++ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException { ++ synchronized (store) { ++ for (Enumeration e = store.aliases(); e.hasMoreElements();) { ++ Certificate nextCert = store.getCertificate((String) e.nextElement()); ++ if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) { ++ cert.verify(nextCert.getPublicKey()); ++ return nextCert; ++ } ++ } ++ return null; ++ } ++ } ++ + protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException { + if (isReadOnly()) + throw new IOException(SignedContentMessages.Default_Trust_Read_Only); diff --git a/debian/patches/series b/debian/patches/series index 7a10dc6..34831f5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -22,3 +22,4 @@ build-arch.patch sat4j-version.patch add-o.e.equinox.concurrent.patch pdebuild-workspace.patch +bp-osgi-ignore-root-CA.patch diff --git a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java index cd3ca9e..96cd4f6 100644 --- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java +++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java @@ -101,27 +101,19 @@ public class KeyStoreTrustEngine extends TrustEngine { try { Certificate rootCert = null; - KeyStore store = getKeyStore(); for (int i = 0; i < certChain.length; i++) { if (certChain[i] instanceof X509Certificate) { - if (i == certChain.length - 1) { //this is the last certificate in the chain + if (i == certChain.length - 1) { + // this is the last certificate in the chain + // determine if we have a valid root X509Certificate cert = (X509Certificate) certChain[i]; if (cert.getSubjectDN().equals(cert.getIssuerDN())) { - certChain[i].verify(certChain[i].getPublicKey()); - rootCert = certChain[i]; // this is a self-signed certificate + cert.verify(cert.getPublicKey()); + rootCert = cert; // this is a self-signed certificate } else { // try to find a parent, we have an incomplete chain - synchronized (store) { - for (Enumeration e = store.aliases(); e.hasMoreElements();) { - Certificate nextCert = store.getCertificate((String) e.nextElement()); - if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) { - cert.verify(nextCert.getPublicKey()); - rootCert = nextCert; - break; - } - } - } + return findAlternativeRoot(cert, store); } } else { X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1]; @@ -138,6 +130,10 @@ public class KeyStoreTrustEngine extends TrustEngine { if (alias != null) return store.getCertificate(alias); } + // if we have reached the end and the last cert is not found to be a valid root CA + // then we need to back off the root CA and try to find an alternative + if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate) + return findAlternativeRoot((X509Certificate) certChain[i - 1], store); } } } catch (KeyStoreException e) { @@ -149,6 +145,19 @@ public class KeyStoreTrustEngine extends TrustEngine { return null; } + private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException { + synchronized (store) { + for (Enumeration e = store.aliases(); e.hasMoreElements();) { + Certificate nextCert = store.getCertificate((String) e.nextElement()); + if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) { + cert.verify(nextCert.getPublicKey()); + return nextCert; + } + } + return null; + } + } + protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException { if (isReadOnly()) throw new IOException(SignedContentMessages.Default_Trust_Read_Only); hooks/post-receive -- eclipse - Powerful IDE written in java - Debian package. _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits