Guillaume Nodet created FELIX-3604:
--------------------------------------
Summary: No error log if the certificate is not valid
Key: FELIX-3604
URL: https://issues.apache.org/jira/browse/FELIX-3604
Project: Felix
Issue Type: Bug
Components: Framework Security
Reporter: Guillaume Nodet
If bundles are signed with an invalid or already expired certificate the
certificate will be revoked but there is no log entry because it's not
implemented.
See TODO in
org/apache/felix/framework/security/verifier/BundleDNParser.java line 445 which
catches the CertificateException without any logging.
{code}
417 private void getRootChains(Certificate[] certificates, List chains,
418 boolean check)
419 {
420 List chain = new ArrayList();
421
422 boolean revoked = false;
423
424 for (int i = 0; i < certificates.length - 1; i++)
425 {
426 X509Certificate certificate = (X509Certificate) certificates[i];
427
428 if (!revoked && isRevoked(certificate))
429 {
430 revoked = true;
431 }
432 if (!check || !revoked)
433 {
434 try
435 {
436 if (check)
437 {
438 certificate.checkValidity();
439 }
440
441 chain.add(certificate);
442 }
443 catch (CertificateException ex)
444 {
445 // TODO: log this or something
446 revoked = true;
447 }
448 }
{code}
It's hard to find the problem why a BundleSignerCondition is not applied to
your bundle when nobody tells you that the certificate of your bundle was
revoked.
We should add an error log and print appropriate logging to tell user what's
happening here.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
