Did you add your CA cert to the keystore as trusted? regards,
Karl On Fri, Mar 27, 2009 at 9:28 AM, Omar MAHMOUD <[email protected]> wrote: > Thank you very much for your reply. > > I am signing my bundle with a keystore that I have created, and which > contains my school (organization field): ENIT. > I tried with *, o=ENIT before and it doesn't work either. > here is the output of jarsigner command: > > *jarsigner -keystore /home/mycompany/myKeystore.ks -verify -verbose -certs > registerservice-1.0.jar > > 1386 Thu Mar 26 14:58:40 CET 2009 META-INF/MANIFEST.MF > 880 Thu Mar 26 14:58:40 CET 2009 META-INF/OMARMAHM.SF > 1035 Thu Mar 26 14:58:40 CET 2009 META-INF/OMARMAHM.DSA > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/ > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/maven/ > 0 Thu Mar 26 11:50:42 CET 2009 > META-INF/maven/com.mycompany.osgisecuritytuto/ > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/maven/com.**mycompany** > .osgisecuritytuto/registerservice/ > smk 148 Thu Mar 26 11:50:42 CET 2009 META-INF/maven/com.**mycompany** > .osgisecuritytuto/registerservice/pom.properties > > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, > C=TN (omarmahmoud) > [certificate will expire on 24/06/09 13:10] > > smk 1804 Wed Feb 25 11:37:58 CET 2009 META-INF/maven/com.**mycompany** > .osgisecuritytuto/registerservice/pom.xml > > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, > C=TN (omarmahmoud) > [certificate will expire on 24/06/09 13:10] > > 0 Thu Mar 26 11:50:42 CET 2009 com/ > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany**/ > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** > /osgisecuritytuto/ > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** > /osgisecuritytuto/registerservice/ > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** > /osgisecuritytuto/registerservice/iservice/ > smk 243 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** > /osgisecuritytuto/registerservice/iservice/GSMService.class > > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, > C=TN (omarmahmoud) > [certificate will expire on 24/06/09 13:10] > > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** > /osgisecuritytuto/registerservice/service/ > smk 2307 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** > /osgisecuritytuto/registerservice/service/Activator.class > > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, > C=TN (omarmahmoud) > [certificate will expire on 24/06/09 13:10] > > smk 677 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** > /osgisecuritytuto/registerservice/service/NokiaGSMImpl.class > > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, > C=TN (omarmahmoud) > [certificate will expire on 24/06/09 13:10] > > 0 Thu Mar 26 11:50:42 CET 2009 util/ > smk 1617 Thu Mar 26 11:50:40 CET 2009 util/Util.class > > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, > C=TN (omarmahmoud) > [certificate will expire on 24/06/09 13:10] > > > s = signature was verified > m = entry is listed in manifest > k = at least one certificate was found in keystore > i = at least one certificate was found in identity scope > > jar verified. > > Warning: > This jar contains entries whose signer certificate will expire within six > months. * > > is there something wrong with the signature? > > Thank you very much for your help. > Best regards. > Omar MAHMOUD > > 2009/3/26 Karl Pauls <[email protected]> > >> Can you explain what kind of certificate (chain) you are trying to >> match? The given filter: >> >> *; o=ENIT >> >> would match bundles that have been signed by any certificate that has >> been signed by a CA that has a CN that _starts_ with o=ENIT. Not >> impossible but maybe not what you wanted? In case what you wanted to >> say is "if it is signed by a certificate that has o=ENIT in its CN >> then it should be: >> >> *, o=ENIT >> >> and if you want any certificate that has a CA that has o=ENIT >> somewhere in its CN then you should use: >> >> *;*,o=ENIT >> >> Again, please give some more information about your certificates. >> >> regards, >> >> Karl >> >> On Thu, Mar 26, 2009 at 6:17 PM, Omar MAHMOUD <[email protected]> >> wrote: >> > Hi All!! >> > >> > I'm working with OSGi security API under Felix. >> > I wanted to test 4 bundles: >> > >> > 1-a bundles that manages the permissions. >> > 2-RegisterService: a bundle that registers a service S. >> > 3-GoodBundle: a signed bundle that consumes S. >> > 4-MaliciousBundle: an unsigned bundles that attempts to consume S. >> > >> > I run Felix with run_felix.sh = *{java >> > -Dfelix.config.properties=file:lib/felix/conf/config.properties >> > -Dfelix.cache.profiledir=lib/felix/profile -Djava.security.manager >> > -Djava.security.policy=lib/all.policy >> -Dfelix.keystore=file:/home/me/myKS.ks >> > -Dfelix.keystore.pass=mypass -Dfelix.keystore.type=JKS -jar >> > lib/felix/felix.jar}* >> > >> > The problem is that my 'GoodBundle' cannot get the service! >> > >> > It worked well when I substitued: >> > >> > *{m_signed = condPermAdmin.addConditionalPermissionInfo(new >> ConditionInfo[]{ >> > new ConditionInfo(BundleSignerCondition.class.getName(), >> new >> > String[]{"* ; o=ENIT"}) >> > }, ALLPERMISSION_INFO); >> > } * >> > >> > by >> > *{m_signed = condPermAdmin.addConditionalPermissionInfo(new >> ConditionInfo[]{ >> > new ConditionInfo(BundleLocationCondition.class.getName(), >> > new String[]{context.getBundle(7).getLocation()}) >> > }, ALLPERMISSION_INFO); >> > }* (GoodBundle has id=7) >> > >> > >> > So I doubted that there is something wrong with Jarsigneing, but the >> command >> > : >> > >> > *{jarsigner -keystore /home/me/myKS.ks GoodBundle-1.0.jar myAlias}* >> > >> > returns tells me that there is nothing wrong with the signature and all >> the >> > fields appear as they are supposed to be. >> > >> > What might be the problem? >> > >> > Thank you very much in advance. >> > >> >> >> >> -- >> Karl Pauls >> [email protected] >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > -- Karl Pauls [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
