Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added new functionality ==> exceptions.sites #394

Closed
patris70 opened this issue Sep 3, 2019 · 17 comments
Closed

Added new functionality ==> exceptions.sites #394

patris70 opened this issue Sep 3, 2019 · 17 comments
Labels
enhancement New feature or request
Milestone
1.8.x

Comments

@patris70
Copy link

patris70 commented Sep 3, 2019

You can using Domain Wildcard "*" in Exception.Sites Liste for System but not for User.
A port number is required only if the default port is not used (default http port is 80 and https port is 443).

(Thanks Justin Reock, and John Saboe)

**Changes for exceptions.sites functionality:

New Class netx/net/sourceforge/jnlp/security/appletextendedsecurity/ExceptionSitesStorage.java**

Responsible for parsing exception.sites files and providing methods to check for exceptions. Can read exceptions from both regular files and files contained within .jar archives.

Exceptions can be in the form of website URL wildcard matches as well as SHA-256 certificate fingerprint matches for applets.

ExceptionSitesStorage.zip

Updates to netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java

Add three new keys to pull in properties for System exception file and .jars and User exception file on line 136:

public static final String KEY_USER_SECURITY_EXCEPTION_SITES = "deployment.user.security.exception.sites"; public static final String KEY_SYSTEM_SECURITY_EXCEPTION_SITES = "deployment.system.security.exception.sites"; public static final String KEY_SYSTEM_SECURITY_EXCEPTION_SITES_JAR = "deployment.system.security.exception.sites.jar";

Updates to netx/net/sourceforge/jnlp/config/Defaults.java

Add validators and key references for exception.sites keys to configuration object array at line 192:

{ DeploymentConfiguration.KEY_SYSTEM_SECURITY_EXCEPTION_SITES, BasicValueValidators.getFilePathValidator(), null }, { DeploymentConfiguration.KEY_SYSTEM_SECURITY_EXCEPTION_SITES_JAR, BasicValueValidators.getFilePathValidator(), String.valueOf("") }, { DeploymentConfiguration.KEY_USER_SECURITY_EXCEPTION_SITES, BasicValueValidators.getFilePathValidator(), String.valueOf("") },

Updates to netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java

Add exception check to bypass Security Warning for Unsigned Applets based on certificate match or URL match on line 1143.

JNLPClassLoader.zip

Updates to netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java

Add exception sites check before call to Security Warning dialog for missing “permissions” attribute at line 290 and Add similar check to Security Warning for missing ALAC Attribute on line 440::

ManifestAttributesChecker.zip

Changes to netx/net/sourceforge/jnlp/tools/CertInformation.java

Allow for returning Cert fingerprint for the SHA-256 certificate matching Line 70:

private String fingerprint = "";

Getter method for fingerprint at line 159:

public String getFingerprint() { return this.fingerprint; }

Setter method for fingerprint at line 257:

public void setFingerprint(String fprint) { this.fingerprint = fprint; }

Changes to netx/net/sourceforge/jnlp/tools/JarCertVerifier.java

Changes to extract SHA-256 fingerprint from Certificate on line 144:

private static String getThumbprint(X509Certificate cert) throws NoSuchAlgorithmException, CertificateEncodingException { MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] der = cert.getEncoded(); md.update(der); byte[] digest = md.digest(); String digestHex = DatatypeConverter.printHexBinary(digest); return digestHex.toUpperCase(); }

Changes to add fingerprint to certificate information on line 407:

certInfo.setFingerprint(getThumbprint((X509Certificate) cert));

Add Site Exception Viewer to Control Panel

Adds a new panel inside the IcedTea-Web Control Panel to allow viewing of site exceptions from .jar file and/or exception.sites file:

New Class netx/net/sourceforge/jnlp/controlpanel/ExceptionsPanel.java
New class to draw the panel that views the site exceptions:

ExceptionsPanel.zip

**Localization Changes – Add English, Czech, German, and Polish panel titles:

Changes to netx/net/sourceforge/jnlp/resources/Messages.properties:**
Add English Title for Exceptions Panel at line 665:

CPTabExceptions=Exception Sites

Changes to netx/net/sourceforge/jnlp/resources/Messages_cs.properties:
Add Czech Title for Exceptions Panel at line 621

CPTabExceptions=Stranky Vyjimek

Changes to netx/net/sourceforge/jnlp/resources/Messages_de.properties:
Add German Title for Exceptions Panel at line 620

CPTabExceptions=Ausnahmeliste

Changes to netx/net/sourceforge/jnlp/resources/Messages_pl.properties:
Add Polish Title for Exceptions Panel at line 463

CPTabExceptions=Witryny Wyjatkow

Changes to netx/net/sourceforge/jnlp/controlpanel/ControlPanel.java

Add new panel at line 258:

private JPanel createExceptionsPanel() { return new ExceptionsPanel(); }

Screenshot:

System Exception.Sites:
system

User Exception.Sites

user
@hendrikebbers
Copy link
Member

hendrikebbers commented Sep 3, 2019
edited
Loading

Hi @patris70 can you do a Pull Request instead of adding classes as Zips? If you do not know how to create a Pull Request just ping me and I can give you an introduction :)

@patris70
Copy link
Author

patris70 commented Sep 3, 2019

Hi @hendrikebbers,
Yes, please help me, i do not know. :)

Thanks

@Archimedes5000
Copy link

Is this really a Pull Request ? The Classes are still for ITW 1.7 / 1.8. In my opinion patris70 needs help to integrate this classes into ITW 2.0. See also case #392.

@karianna karianna added this to the 2.0.x milestone Sep 9, 2019
@karianna karianna added the enhancement New feature or request label Sep 9, 2019
@patris70 patris70 mentioned this issue Nov 29, 2019
Closed
@sclassen sclassen modified the milestones: 2.0.x, 1.8.x Jan 30, 2020
@StewartK613
Copy link

So, by modifying the files noted above (and adding one as well) this will give the functionality of vetting SHA256 signed JAR files to run? Newbie here, thanks

@patris70
Copy link
Author

Hi @StewartK613,
yes, but you can add SHA256 in SYSTEM EXCEPTION file NOT in USER EXCEPTION.
hope to help
Regards

@StewartK613
Copy link

Thats perfect. I may have a few more questions, if thats OK. I'll start making the modifications
Thanks patris70

@patris70
Copy link
Author

@StewartK613,
you cal always write you questions.

Regads

@StewartK613
Copy link

Quick question, the line numbers you have indicated above, I am to replace that line with the information you have given? In some cases, it looks as tho I will be breaking the syntax of the current line
Thanks

@patris70
Copy link
Author

@StewartK613,

please use my zip files.

Regards

@StewartK613
Copy link

OK thanks

@StewartK613
Copy link

Do you have the other ZIP files available (JarCertVerifier.java , CertInformation.java, etc)
And again, thanks for your time

@StewartK613
Copy link

how do I get the itweb wettings to recognize the new settings in netx.src?
Thanks

@sid9var
Copy link

sid9var commented Apr 14, 2020

Hello All. I have a QQ on the public availability of ITW 2.0

Is there a date set already for this? Thanks!

@sclassen
Copy link
Contributor

No, there is currently nobody working on setting up a build for creating an executable binary and an installer.
There exists https://openwebstart.com which is based on the 2.0 branch

@dhirenjoshi
Copy link

Hi Team,
I will be starting to work on the DeploymentRuleSet. Before I start, I wanted to check with all if any part has been partially been started/completed by any team members. patris70 had worked on it to some extent as I can see from comments above.
I have connected with sclassen in emails back and forth .
@patris70, Can you please explain what all functionality did you end up implementing ? Thanks

DeploymentRuleSet functionality as I understand :

  1. XML based file which gets saved to signed jar.
  2. Provide a panel to upload the signed jar.
  3. Provide checks to verify medium and low security access is provided to vetted sites added in DeploymentRuleSet.
  4. For number 3, I will need help finding which code in jdk or sun packages will help me implement this ?
    With these 4 items, DeploymentRuleSet can be implemented .Please feel free to add to this requirement to make it better if I missed any parts of the DeploymentRuleSet as I understand it.

@patris70
Copy link
Author

Hi @dhirenjoshi,

  1. File name is ExceptionSites.jar and path name is C:\Windows\Sun\Java\Deployment
  2. No, why do you need panel for upload ExceptionSites.jar file?
  3. Same function (not %100) as Oracle DeploymentRuleset
  4. This code is not on jdk Source Code (oracle has this code), my code is in Icedtea-Web source code

hope to help

@dhirenjoshi
Copy link

dhirenjoshi commented Feb 24, 2021 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
1.8.x
Development

No branches or pull requests
9 participants
@karianna @sclassen @sid9var @dhirenjoshi @hendrikebbers @patris70 @Archimedes5000 @Jamila891 @StewartK613