The property osgi.signedcontent.trust.engine is used to limit the trust engine services that the SignedBundleFile will use to determine if a signer is trusted. When you set that property to CECKeyStoreTrustEngine then only your trust engine will be used to establish trust. Do you know if your trust engine is called at all? Do you register your trust engine service with the same service property set? (i.e. osgi.signedcontent.trust.engine=CECKeyStoreTrustEngine).
You will notice the code in org.eclipse.osgi.internal.signedcontent.SignedBundleHook.getTrustEngines() uses a ServiceTracker to find the trust engine services. A filter is used when you set the osgi.signedcontent.trust.engine. property. HTH. Tom From: David Lübbren - PRION Group <dluebb...@prion.de> To: equinox-dev@eclipse.org Date: 01/19/2009 09:41 AM Subject: [equinox-dev] Bundle Verification using custom TrustEngine Hello, I am trying to use the signed content functionality in equinox to verify all bundles at load time. After patching Eclipse 3.4 org.eclipse.osgi system bundle to include the patch (https://bugs.eclipse.org/bugs/show_bug.cgi?id=252098) I am able to this out of the box using the following properties: -Dosgi.signedcontent.support=all -Dosgi.clean=true -Dosgi.signedcontent.authorization.engine.policy=validity -Dosgi.framework.keystore=file:/C:/myData/myKeystore with a local keystore. All jars are signed in the exported product plugin directory, so eclipse jars are signed (at least) twice, and my custom ones once. This seems to work fine now (I did a couple of tests replacing signed jars with unsigned ones etc...). My aim is to use a custom trust engine to be able to verify certificate trust independent of a local keystore. This is not working. Trying to track down why, I am using a copy of KeyStoreTrustEngine named CECKeyStoreTrustEngine. This Class is registered via a custom Adaptor Hook as an osgi service. I have confirmed that the service is registered and started via sysout and use the following properties to activate it: -Dosgi.signedcontent.trust.engine=CECKeyStoreTrustEngine -Dosgi.framework.extensions=cec.bundleverifier (the custom hook package) Using this setup the application generates an exception: org.osgi.framework.BundleException: The bundle could not be resolved. Reason: The bundle is disabled: "org.eclipse.equinox.security:null" When I remove the Property 'osgi.signedcontent.trust.engine' all TrustEngines are called and the verification works again. My Question is: Why does the KeyStoreTrustEngine registerd from the SignedBundleHook work, but the same copy from my own hook fails ? Thanks David Luebbren _______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
<<inline: graycol.gif>>
<<inline: ecblank.gif>>
_______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev