Patch, begin of signed applet support

George Staikos staikos at kde.org
Tue Feb 10 04:06:32 GMT 2004 

Ah ok, this is all built-in to java so no need to use KSSL.  The only 
unfortunate part is that we can't share the KDE certificate database.  It 
absolutely sucks that every app and library has to create its own database.  
Do you think it would be possible to sync the Java one with the KDE one?  We 
could import the default Java certificates into the KDE database, and then 
just proxy all the certificate calls back and forth...  Certainly you could 
implement it with the Java native stuff first to get it working, and then 
this could be added on later.

On Monday 09 February 2004 14:17, Koos Vriezen wrote:
> On Sun, Feb 08, 2004 at 06:48:38PM -0500, George Staikos wrote:
> > On Saturday 07 February 2004 20:07, Koos Vriezen wrote:
> > > Signed applets is one major missing feature. Attached a patch that
> > > could be a start of this. It asks the user in case a permission is not
> > > granted by the security manager.
> > > What needs to be done is a way to store granted permissions, eg. with
> > > this patch for each applet the user must answer if it allows access to
> > > the clipboard.
> >
> >   Do you need any PKCS support from KSSL for this?
>
> Don't know yet, maybe you can tell me :). The certificates are described
> here
> http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Certificate.
>html Certificate is created with
>    $JAVA_HOME/bin/keytool -genkey -keystore mystore -alias myalias
> and signing of jar file is done with
>     $JAVA_HOME/bin/jarsigner -keystore mystore myjar.jar myalias
>
> Its the combination of a valid certificate and permission that should be
> stored somewhere. Java itself has support for it, like
>     $JAVA_HOME/bin/keytool -import -keystore mystore -alias myalias -file
> mycert and policy file like
>     keystore "file:mystore", "JKS"
>     grant signedBy "myalias"
>     {
>          permission java.io.FilePermission "file:/home/koos/dir", "read"
>     }
>
> Anyway, lets make these applets work first. I've updated the patch, it
> saves quite some 'Yes' clicking :-) by remembering which permission were
> granted for which certificate.
> It makes use of Object.getSigners() and SecurityManager.getClassContext()  
>                        (which is an array of all classes in the calling
> stack). Duplicates from http://bugs.kde.org/show_bug.cgi?id=65602 actually
> seem to work (although some questions are really scary, one applet managed
> to make a c:\temp\jts directory in my home dir)
>
> Koos

-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/

More information about the kfm-devel mailing list