The manifest needs to be signed with the same private key that signed the certificate.
From: George Tang [mailto:[email protected]] Sent: Monday, October 24, 2016 10:20 AM To: Kevin Kane <[email protected]> Cc: allseen-core <[email protected]> Subject: Re: [Allseen-core] ER_PERMISSION_DENIED After adding the SecureConnection call on the bus attachments, there is a SendManifests call. However, another error before the reset ER_PERMISSION_DENIED, manifest signature failed to verify. Since I am signing the manifests with a generated private key and not the bus's private key from credential accessor, are there any fields in the certificate that I need to change to the generated public key? Do I need to sign the certificates with the generated private key too instead of with the bus's permission configurator? I have attached the new log. Thanks, George On Mon, Oct 24, 2016 at 10:35 AM, Kevin Kane <[email protected]<mailto:[email protected]>> wrote: Is your test also calling SecureConnection(true) on the bus attachment after Claim so that the ECDSA session is established? Otherwise the manager bus will try to continue with the existing ECHDE_NULL session and the method calls will fail. From: George Tang [mailto:[email protected]<mailto:[email protected]>] Sent: Saturday, October 22, 2016 9:38 AM To: Kevin Kane <[email protected]<mailto:[email protected]>> Cc: allseen-core <[email protected]<mailto:[email protected]>> Subject: Re: [Allseen-core] ER_PERMISSION_DENIED Hi Kevin, The logs contain a call to installMembership on the manager bus. Are there any other reasons for not having a sendMemberships call? When writing these tests I could not use credential accessor to get the guid of the bus to set the IssuerCN, and I could not use it to get the bus privatekey to sign the manifest. So I generated a random private key and a random guid instead. Thanks, George On Fri, Oct 21, 2016 at 10:20 AM, Kevin Kane <[email protected]<mailto:[email protected]>> wrote: I don’t see any calls to SendMemberships in the trace. This suggests your security manager bus attachment hasn’t been provisioned with an admin group membership certificate, since later the PERMISSION_MGMT source shows the peer does not match against the ACL for WITH_MEMBERSHP, which should match. Can you make sure your setup generates and installs an admin group membership certificate onto the bus attachment from which you make the Reset call? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of George Tang Sent: Thursday, October 20, 2016 9:09 PM To: allseen-core <[email protected]<mailto:[email protected]>> Subject: [Allseen-core] ER_PERMISSION_DENIED Hi all, I am getting this error ER_PERMISSION_DENIED, when calling reset in Java. I have a feeling that some value of CertificateX509 is not being set correctly, but I don't know which value. I have the logs for a successful call to reset from the core sample test SecurityClaimApplicationTest.cc (testlog). I also have logs the call to reset from the Java bindings that fails (antlog). It would be great if someone experienced in security and certificates could take a look. Thanks, George
_______________________________________________ Allseen-core mailing list [email protected] https://lists.allseenalliance.org/mailman/listinfo/allseen-core
