This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "eclipse - Powerful IDE written in java - Debian package.".
The branch, lucid has been updated
via 6825b436e148d1071f0b779f086d41109e95b499 (commit)
via 04836a0e0ddc4842d17e9d2efcb3c667f37229fd (commit)
from c83804cd06d9cdf403b487821b0c141cb2a76459 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6825b436e148d1071f0b779f086d41109e95b499
Author: Benjamin Drung <bdr...@ubuntu.com>
Date: Wed Oct 20 01:03:32 2010 +0200
Backported fix for finding root CA in keystore rather than from JAR. (LP:
#655833)
commit 04836a0e0ddc4842d17e9d2efcb3c667f37229fd
Author: Benjamin Drung <bdr...@ubuntu.com>
Date: Wed Oct 20 01:03:18 2010 +0200
Add git-buildpackage configuration.
-----------------------------------------------------------------------
Summary of changes:
debian/changelog | 7 ++
debian/gbp.conf | 6 ++
debian/patches/bp-osgi-ignore-root-CA.patch | 77 ++++++++++++++++++++
debian/patches/series | 1 +
.../service/security/KeyStoreTrustEngine.java | 37 ++++++----
5 files changed, 114 insertions(+), 14 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index dcc123c..9a212f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+eclipse (3.5.2-2ubuntu4.3) lucid-proposed; urgency=low
+
+ * Backported fix for finding root CA in keystore rather than from JAR.
+ (LP: #655833)
+
+ -- Thomas Watson <ubu...@tjworld.net> Wed, 20 Oct 2010 00:58:03 +0200
+
eclipse (3.5.2-2ubuntu4.2) lucid-proposed; urgency=low
* Backported fix for poor tooltip colors with certain themes. (LP: #540332)
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..50c0367
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,6 @@
+[DEFAULT]
+compression = bzip2
+debian-branch = lucid
+
+[git-dch]
+meta = True
diff --git a/debian/patches/bp-osgi-ignore-root-CA.patch
b/debian/patches/bp-osgi-ignore-root-CA.patch
new file mode 100644
index 0000000..ec0d4e0
--- /dev/null
+++ b/debian/patches/bp-osgi-ignore-root-CA.patch
@@ -0,0 +1,77 @@
+Description: If the root CA in a signed jar is invalid, check the cacerts
+ for an alternative/newer root CA.
+ .
+ This fixes the issue where signed jars has root CAs using MD2withRSA or
+ other weak signatures that are now automatically rejected by e.g. OpenJDK.
+Author: Thomas Watson <tjwat...@us.ibm.com>
+Bug-Ubuntu: https://launchpad.net/bugs/655833
+Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=309059
+Applied-Upstream: yes
+
+---
a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
++++
b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+@@ -101,27 +101,19 @@
+
+ try {
+ Certificate rootCert = null;
+-
+ KeyStore store = getKeyStore();
+ for (int i = 0; i < certChain.length; i++) {
+ if (certChain[i] instanceof X509Certificate) {
+- if (i == certChain.length - 1) { //this
is the last certificate in the chain
++ if (i == certChain.length - 1) {
++ // this is the last certificate
in the chain
++ // determine if we have a valid
root
+ X509Certificate cert =
(X509Certificate) certChain[i];
+ if
(cert.getSubjectDN().equals(cert.getIssuerDN())) {
+-
certChain[i].verify(certChain[i].getPublicKey());
+- rootCert =
certChain[i]; // this is a self-signed certificate
++
cert.verify(cert.getPublicKey());
++ rootCert = cert; //
this is a self-signed certificate
+ } else {
+ // try to find a
parent, we have an incomplete chain
+- synchronized (store) {
+- for
(Enumeration e = store.aliases(); e.hasMoreElements();) {
+-
Certificate nextCert = store.getCertificate((String) e.nextElement());
+- if
(nextCert instanceof X509Certificate && ((X509Certificate)
nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+-
cert.verify(nextCert.getPublicKey());
+-
rootCert = nextCert;
+-
break;
+- }
+- }
+- }
++ return
findAlternativeRoot(cert, store);
+ }
+ } else {
+ X509Certificate nextX509Cert =
(X509Certificate) certChain[i + 1];
+@@ -138,6 +130,10 @@
+ if (alias != null)
+ return
store.getCertificate(alias);
+ }
++ // if we have reached the end and the
last cert is not found to be a valid root CA
++ // then we need to back off the root CA
and try to find an alternative
++ if (certChain.length > 1 && i ==
certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
++ return
findAlternativeRoot((X509Certificate) certChain[i - 1], store);
+ }
+ }
+ } catch (KeyStoreException e) {
+@@ -149,6 +145,19 @@
+ return null;
+ }
+
++ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore
store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException,
NoSuchProviderException, SignatureException, CertificateException {
++ synchronized (store) {
++ for (Enumeration e = store.aliases();
e.hasMoreElements();) {
++ Certificate nextCert =
store.getCertificate((String) e.nextElement());
++ if (nextCert instanceof X509Certificate &&
((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
++ cert.verify(nextCert.getPublicKey());
++ return nextCert;
++ }
++ }
++ return null;
++ }
++ }
++
+ protected String doAddTrustAnchor(Certificate cert, String alias)
throws IOException, GeneralSecurityException {
+ if (isReadOnly())
+ throw new
IOException(SignedContentMessages.Default_Trust_Read_Only);
diff --git a/debian/patches/series b/debian/patches/series
index a9df4b5..005bc7b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ ecj-gccmain-java.patch
fix-help-contents.patch
fix-tooltip-color.patch
bp-hover-visability.patch
+bp-osgi-ignore-root-CA.patch
diff --git
a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
index cd3ca9e..96cd4f6 100644
---
a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+++
b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
@@ -101,27 +101,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
try {
Certificate rootCert = null;
-
KeyStore store = getKeyStore();
for (int i = 0; i < certChain.length; i++) {
if (certChain[i] instanceof X509Certificate) {
- if (i == certChain.length - 1) { //this
is the last certificate in the chain
+ if (i == certChain.length - 1) {
+ // this is the last certificate
in the chain
+ // determine if we have a valid
root
X509Certificate cert =
(X509Certificate) certChain[i];
if
(cert.getSubjectDN().equals(cert.getIssuerDN())) {
-
certChain[i].verify(certChain[i].getPublicKey());
- rootCert =
certChain[i]; // this is a self-signed certificate
+
cert.verify(cert.getPublicKey());
+ rootCert = cert; //
this is a self-signed certificate
} else {
// try to find a
parent, we have an incomplete chain
- synchronized (store) {
- for
(Enumeration e = store.aliases(); e.hasMoreElements();) {
-
Certificate nextCert = store.getCertificate((String) e.nextElement());
- if
(nextCert instanceof X509Certificate && ((X509Certificate)
nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
-
cert.verify(nextCert.getPublicKey());
-
rootCert = nextCert;
-
break;
- }
- }
- }
+ return
findAlternativeRoot(cert, store);
}
} else {
X509Certificate nextX509Cert =
(X509Certificate) certChain[i + 1];
@@ -138,6 +130,10 @@ public class KeyStoreTrustEngine extends TrustEngine {
if (alias != null)
return
store.getCertificate(alias);
}
+ // if we have reached the end and the
last cert is not found to be a valid root CA
+ // then we need to back off the root CA
and try to find an alternative
+ if (certChain.length > 1 && i ==
certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
+ return
findAlternativeRoot((X509Certificate) certChain[i - 1], store);
}
}
} catch (KeyStoreException e) {
@@ -149,6 +145,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
return null;
}
+ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore
store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException,
NoSuchProviderException, SignatureException, CertificateException {
+ synchronized (store) {
+ for (Enumeration e = store.aliases();
e.hasMoreElements();) {
+ Certificate nextCert =
store.getCertificate((String) e.nextElement());
+ if (nextCert instanceof X509Certificate &&
((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+ cert.verify(nextCert.getPublicKey());
+ return nextCert;
+ }
+ }
+ return null;
+ }
+ }
+
protected String doAddTrustAnchor(Certificate cert, String alias)
throws IOException, GeneralSecurityException {
if (isReadOnly())
throw new
IOException(SignedContentMessages.Default_Trust_Read_Only);
hooks/post-receive
--
eclipse - Powerful IDE written in java - Debian package.
_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits
