[jira] [Commented] (FELIX-3604) No error log if the certificate is not valid

[Guillaume Nodet (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FELIX-3604?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422122#comment-13422122
 ] 

Guillaume Nodet commented on FELIX-3604:
----------------------------------------

Did you start working on that already ? I can do it if you want.
                
> No error log if the certificate is not valid
> --------------------------------------------
>
>                 Key: FELIX-3604
>                 URL: https://issues.apache.org/jira/browse/FELIX-3604
>             Project: Felix
>          Issue Type: Bug
>          Components: Framework Security
>            Reporter: Guillaume Nodet
>            Assignee: Karl Pauls
>
> If bundles are signed with an invalid or already expired certificate the 
> certificate will be revoked but there is no log entry because it's not 
> implemented.
> See TODO in
> org/apache/felix/framework/security/verifier/BundleDNParser.java line 445 
> which catches the CertificateException without any logging.
> {code}
> 417     private void getRootChains(Certificate[] certificates, List chains,
> 418         boolean check)
> 419     {
> 420         List chain = new ArrayList();
> 421 
> 422         boolean revoked = false;
> 423 
> 424         for (int i = 0; i < certificates.length - 1; i++)
> 425         {
> 426             X509Certificate certificate = (X509Certificate) 
> certificates[i];
> 427 
> 428             if (!revoked && isRevoked(certificate))
> 429             {
> 430                 revoked = true;
> 431             }
> 432             if (!check || !revoked)
> 433             {
> 434                 try
> 435                 {
> 436                     if (check)
> 437                     {
> 438                         certificate.checkValidity();
> 439                     }
> 440 
> 441                     chain.add(certificate);
> 442                 }
> 443                 catch (CertificateException ex)
> 444                 {
> 445                     // TODO: log this or something
> 446                     revoked = true;
> 447                 }
> 448             }
> {code}
> It's hard to find the problem why a BundleSignerCondition is not applied to 
> your bundle when nobody tells you that the certificate of your bundle was 
> revoked.
> We should add an error log and print appropriate logging to tell user what's 
> happening here.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira