You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Karl Pauls (JIRA)" <ji...@apache.org> on 2012/07/25 13:53:33 UTC

[jira] [Resolved] (FELIX-3604) No error log if the certificate is not valid

     [ https://issues.apache.org/jira/browse/FELIX-3604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Karl Pauls resolved FELIX-3604.
-------------------------------

       Resolution: Fixed
    Fix Version/s: framework.security-2.2.0

I get the framework logger and log a warning. Can you check if that works for you?

The reason i wasn't using the logger inside security was that it was doing security sensitive calls during that time which created all sorts of problems. It doesn't at the moment so we should be good for now. 
                
> No error log if the certificate is not valid
> --------------------------------------------
>
>                 Key: FELIX-3604
>                 URL: https://issues.apache.org/jira/browse/FELIX-3604
>             Project: Felix
>          Issue Type: Bug
>          Components: Framework Security
>            Reporter: Guillaume Nodet
>            Assignee: Karl Pauls
>             Fix For: framework.security-2.2.0
>
>
> If bundles are signed with an invalid or already expired certificate the certificate will be revoked but there is no log entry because it's not implemented.
> See TODO in
> org/apache/felix/framework/security/verifier/BundleDNParser.java line 445 which catches the CertificateException without any logging.
> {code}
> 417     private void getRootChains(Certificate[] certificates, List chains,
> 418         boolean check)
> 419     {
> 420         List chain = new ArrayList();
> 421 
> 422         boolean revoked = false;
> 423 
> 424         for (int i = 0; i < certificates.length - 1; i++)
> 425         {
> 426             X509Certificate certificate = (X509Certificate) certificates[i];
> 427 
> 428             if (!revoked && isRevoked(certificate))
> 429             {
> 430                 revoked = true;
> 431             }
> 432             if (!check || !revoked)
> 433             {
> 434                 try
> 435                 {
> 436                     if (check)
> 437                     {
> 438                         certificate.checkValidity();
> 439                     }
> 440 
> 441                     chain.add(certificate);
> 442                 }
> 443                 catch (CertificateException ex)
> 444                 {
> 445                     // TODO: log this or something
> 446                     revoked = true;
> 447                 }
> 448             }
> {code}
> It's hard to find the problem why a BundleSignerCondition is not applied to your bundle when nobody tells you that the certificate of your bundle was revoked.
> We should add an error log and print appropriate logging to tell user what's happening here.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira