You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Karl Pauls (JIRA)" <ji...@apache.org> on 2012/07/22 22:15:33 UTC
[jira] [Commented] (FELIX-3604) No error log if the certificate is
not valid
[ https://issues.apache.org/jira/browse/FELIX-3604?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420313#comment-13420313 ]
Karl Pauls commented on FELIX-3604:
-----------------------------------
Yeah, that probably makes sense. The problem I had with logging inside framework.security is that it is somewhat problematic to get a logger - I should add at least a print out for now.
> No error log if the certificate is not valid
> --------------------------------------------
>
> Key: FELIX-3604
> URL: https://issues.apache.org/jira/browse/FELIX-3604
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
>
> If bundles are signed with an invalid or already expired certificate the certificate will be revoked but there is no log entry because it's not implemented.
> See TODO in
> org/apache/felix/framework/security/verifier/BundleDNParser.java line 445 which catches the CertificateException without any logging.
> {code}
> 417 private void getRootChains(Certificate[] certificates, List chains,
> 418 boolean check)
> 419 {
> 420 List chain = new ArrayList();
> 421
> 422 boolean revoked = false;
> 423
> 424 for (int i = 0; i < certificates.length - 1; i++)
> 425 {
> 426 X509Certificate certificate = (X509Certificate) certificates[i];
> 427
> 428 if (!revoked && isRevoked(certificate))
> 429 {
> 430 revoked = true;
> 431 }
> 432 if (!check || !revoked)
> 433 {
> 434 try
> 435 {
> 436 if (check)
> 437 {
> 438 certificate.checkValidity();
> 439 }
> 440
> 441 chain.add(certificate);
> 442 }
> 443 catch (CertificateException ex)
> 444 {
> 445 // TODO: log this or something
> 446 revoked = true;
> 447 }
> 448 }
> {code}
> It's hard to find the problem why a BundleSignerCondition is not applied to your bundle when nobody tells you that the certificate of your bundle was revoked.
> We should add an error log and print appropriate logging to tell user what's happening here.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira