You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Karl Pauls (JIRA)" <ji...@apache.org> on 2012/07/22 22:11:35 UTC

[jira] [Assigned] (FELIX-3604) No error log if the certificate is not valid

     [ https://issues.apache.org/jira/browse/FELIX-3604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Karl Pauls reassigned FELIX-3604:
---------------------------------

    Assignee: Karl Pauls
    
> No error log if the certificate is not valid
> --------------------------------------------
>
>                 Key: FELIX-3604
>                 URL: https://issues.apache.org/jira/browse/FELIX-3604
>             Project: Felix
>          Issue Type: Bug
>          Components: Framework Security
>            Reporter: Guillaume Nodet
>            Assignee: Karl Pauls
>
> If bundles are signed with an invalid or already expired certificate the certificate will be revoked but there is no log entry because it's not implemented.
> See TODO in
> org/apache/felix/framework/security/verifier/BundleDNParser.java line 445 which catches the CertificateException without any logging.
> {code}
> 417     private void getRootChains(Certificate[] certificates, List chains,
> 418         boolean check)
> 419     {
> 420         List chain = new ArrayList();
> 421 
> 422         boolean revoked = false;
> 423 
> 424         for (int i = 0; i < certificates.length - 1; i++)
> 425         {
> 426             X509Certificate certificate = (X509Certificate) certificates[i];
> 427 
> 428             if (!revoked && isRevoked(certificate))
> 429             {
> 430                 revoked = true;
> 431             }
> 432             if (!check || !revoked)
> 433             {
> 434                 try
> 435                 {
> 436                     if (check)
> 437                     {
> 438                         certificate.checkValidity();
> 439                     }
> 440 
> 441                     chain.add(certificate);
> 442                 }
> 443                 catch (CertificateException ex)
> 444                 {
> 445                     // TODO: log this or something
> 446                     revoked = true;
> 447                 }
> 448             }
> {code}
> It's hard to find the problem why a BundleSignerCondition is not applied to your bundle when nobody tells you that the certificate of your bundle was revoked.
> We should add an error log and print appropriate logging to tell user what's happening here.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira