On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: > > > > Tim Ellison wrote: > > George Harley wrote: > > <snip> > >> The post I want to refer to does not seem to be in the > >> mailing list archive (!!??!) > > > > I don't remember you saying that (and I would have remembered such an > > eloquent and considered post ;-) ) > > I didn't get it either, and as he George said, it's not in the archive. > > If anyone got it, can you let us know here (and once someone says they > got it, everyone else stop telling us - we just need to know if anyone > got it...)
I got it. I thought it was done intentionally: George sent it directly to me only ... so it is not in the list. Returning back to the 'missing post'. I agreed with suggestion but currently we don't have Harmony provider so we should define how we locate 'trusted provides' to be secure. Thanks, Stepan Mishura Intel Middleware Products Division geir > > > > > I still have mail that far back in my reader, and it looks like I didn't > > get it either. Maybe it never hit the list. > > > > p.s. +1 to the comment BTW > > > > Regards, > > Tim > > > >> so let me copy the relevant text in-line > >> here as I believe that what it says is important : > >> > >> --- snip from dev-list append of 1st Feb 2006 by > >> [EMAIL PROTECTED] --- > >> > >> Just to clarify your clarification of the question of current Harmony > >> behaviour ... > >> > >> (A) With the current Harmony build it looks like there is *no attempt* > >> to verify the signature of a signed jar file that has been placed on > the > >> bootclasspath. I know this because I took a signed BC provider jar (as > >> downloaded from http://www.bouncycastle.org), deliberately tampered > with > >> the .SF file in the META-INF folder by removing a few lines, then added > >> the modified jar to the bootclasspath of a simple program that listed > >> the algorithms supported by the BC provider. Everything worked fine. > >> > >> (B) With the current Harmony build it looks like an attempt is made at > >> verifying the signature of a signed jar in the jre/lib/ext directory. > >> The attempt fails because it involves trying to use functionality > >> exported by the jar currently being verified and so opens up a whole > >> problem with cycles. > >> To my mind, (B) is a definite bug that would be fixed by having a > >> default Harmony provider. The result of my little bit of playing with > >> (A) just reinforces the argument that relying on the bootclasspath to > >> load your third party providers is not er ... secure. > >> > >> > >> --- end of snip from dev-list append of 1st Feb 2006 by > >> [EMAIL PROTECTED] --- > >> > >> > >> Best regards, > >> George > >> IBM UK > >> > >> > >> Geir Magnusson Jr wrote: > >>> > >>> Tim Ellison wrote: > >>>> Arghhh! > >>>> > >>>> make it stop > >>>> > >>>>> From below: > >>>> -Xbootclasspath/a:${build.path}/tests${path.separator}${ > env.CLASSPATH} > >>>> > >>>> > >>>> putting the CLASSPATH onto the bootclasspath. What are you smokin' > ?! > >>> That was the patch :) > >>> > >>> All that really is supposed to do is get junit and bcprov there. I'll > >>> move. > >>> > >>> geir > >>> > >>>> > >>>> [ I know you are fixing this stuff, but I needed to vent ] > >>>> > >>>> > >>>> -------- Original Message -------- > >>>> Subject: svn commit: r376144 - > >>>> > /incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml > >>>> > >>>> Date: Thu, 09 Feb 2006 01:44:21 -0000 > >>>> From: [EMAIL PROTECTED] > >>>> Reply-To: harmony-dev@incubator.apache.org > >>>> To: [EMAIL PROTECTED] > >>>> > >>>> Author: geirm > >>>> Date: Wed Feb 8 17:44:19 2006 > >>>> New Revision: 376144 > >>>> > >>>> URL: http://svn.apache.org/viewcvs?rev=376144&view=rev > >>>> Log: > >>>> put the bootclasspath stuff back for classlib tests > >>>> because as I'm renaming some tests, it appears that > >>>> when things reordered, tests broke. On a lark, I put > >>>> it back, and things work. Scary. > >>>> > >>>> Will investigate further, but wanted to fix so tests run > >>>> > >>>> Also, changed one of the exclusion lists due to renaming. > >>>> > >>>> > >>>> Modified: > >>>> > >>>> > incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml > >>>> > >>>> > >>>> Modified: > >>>> > incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml > >>>> > >>>> URL: > >>>> > http://svn.apache.org/viewcvs/incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml?rev=376144&r1=376143&r2=376144&view=diff > >>>> > >>>> > ============================================================================== > >>>> > >>>> --- > >>>> > incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml > >>>> > >>>> (original) > >>>> +++ > >>>> > incubator/harmony/enhanced/classlib/trunk/modules/security2/make/build.xml > >>>> > >>>> Wed Feb 8 17:44:19 2006 > >>>> @@ -499,6 +499,8 @@ > >>>> <env key="JAVA_HOME" value="${vm.home}"/> > >>>> > >>>> <!-- to pick up junit.jar and bouncycastle.jar --> > >>>> + <jvmarg > >>>> value="-Xbootclasspath/p:${build.jars.path}/crypto.jar${ > path.separator}${build.jars.path}/x_net.jar"/> > >>>> > >>>> + > >>>> <jvmarg > >>>> value="-Xbootclasspath/a:${build.path}/tests${path.separator}${ > env.CLASSPATH}"/> > >>>> > >>>> > >>>> <jvmarg > >>>> value="- > Djava.security.properties==${build.lib.path}/security/java.security"/> > >>>> > >>>> @@ -518,7 +520,7 @@ > >>>> <exclude > >>>> name="org/apache/harmony/security/test/**"/> > >>>> <!-- Harmony exclude list > --> > >>>> - <exclude > >>>> name="java/security/AlgorithmParameterGeneratorTest1.java"/> > >>>> + <exclude > >>>> name="java/security/AlgorithmParameterGenerator1Test.java"/> > >>>> <exclude > name="java/security/KSBuilderTest.java"/> > >>>> <exclude > >>>> name="java/security/KeyPairGeneratorTest1.java"/> > >>>> <exclude > >>>> name="java/security/KeyPairGeneratorTest3.java"/> > >>>> > >>>> > >>>> > >>>> > >> > > > -- Thanks, Stepan Mishura Intel Middleware Products Division
