Well, it is a self signed cert then right? That is still ok but you probably will have to export it and import it again into a different keystore to make it trusted. Can you show me the verbose listing of your keystore?
regards, Karl On Fri, Mar 27, 2009 at 5:31 PM, Omar MAHMOUD <[email protected]> wrote: > no, I don't have a CA cert. I just made my cert via the keytool command. > Is a CA cert required? > > regards. > > 2009/3/27 Karl Pauls <[email protected]> > >> Did you add your CA cert to the keystore as trusted? >> >> regards, >> >> Karl >> >> On Fri, Mar 27, 2009 at 9:28 AM, Omar MAHMOUD <[email protected]> >> wrote: >> > Thank you very much for your reply. >> > >> > I am signing my bundle with a keystore that I have created, and which >> > contains my school (organization field): ENIT. >> > I tried with *, o=ENIT before and it doesn't work either. >> > here is the output of jarsigner command: >> > >> > *jarsigner -keystore /home/mycompany/myKeystore.ks -verify -verbose >> -certs >> > registerservice-1.0.jar >> > >> > 1386 Thu Mar 26 14:58:40 CET 2009 META-INF/MANIFEST.MF >> > 880 Thu Mar 26 14:58:40 CET 2009 META-INF/OMARMAHM.SF >> > 1035 Thu Mar 26 14:58:40 CET 2009 META-INF/OMARMAHM.DSA >> > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/ >> > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/maven/ >> > 0 Thu Mar 26 11:50:42 CET 2009 >> > META-INF/maven/com.mycompany.osgisecuritytuto/ >> > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/maven/com.**mycompany** >> > .osgisecuritytuto/registerservice/ >> > smk 148 Thu Mar 26 11:50:42 CET 2009 >> META-INF/maven/com.**mycompany** >> > .osgisecuritytuto/registerservice/pom.properties >> > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, >> > C=TN (omarmahmoud) >> > [certificate will expire on 24/06/09 13:10] >> > >> > smk 1804 Wed Feb 25 11:37:58 CET 2009 >> META-INF/maven/com.**mycompany** >> > .osgisecuritytuto/registerservice/pom.xml >> > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, >> > C=TN (omarmahmoud) >> > [certificate will expire on 24/06/09 13:10] >> > >> > 0 Thu Mar 26 11:50:42 CET 2009 com/ >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany**/ >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** >> > /osgisecuritytuto/ >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** >> > /osgisecuritytuto/registerservice/ >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** >> > /osgisecuritytuto/registerservice/iservice/ >> > smk 243 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** >> > /osgisecuritytuto/registerservice/iservice/GSMService.class >> > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, >> > C=TN (omarmahmoud) >> > [certificate will expire on 24/06/09 13:10] >> > >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** >> > /osgisecuritytuto/registerservice/service/ >> > smk 2307 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** >> > /osgisecuritytuto/registerservice/service/Activator.class >> > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, >> > C=TN (omarmahmoud) >> > [certificate will expire on 24/06/09 13:10] >> > >> > smk 677 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** >> > /osgisecuritytuto/registerservice/service/NokiaGSMImpl.class >> > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, >> > C=TN (omarmahmoud) >> > [certificate will expire on 24/06/09 13:10] >> > >> > 0 Thu Mar 26 11:50:42 CET 2009 util/ >> > smk 1617 Thu Mar 26 11:50:40 CET 2009 util/Util.class >> > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, ST=Nabeul, >> > C=TN (omarmahmoud) >> > [certificate will expire on 24/06/09 13:10] >> > >> > >> > s = signature was verified >> > m = entry is listed in manifest >> > k = at least one certificate was found in keystore >> > i = at least one certificate was found in identity scope >> > >> > jar verified. >> > >> > Warning: >> > This jar contains entries whose signer certificate will expire within six >> > months. * >> > >> > is there something wrong with the signature? >> > >> > Thank you very much for your help. >> > Best regards. >> > Omar MAHMOUD >> > >> > 2009/3/26 Karl Pauls <[email protected]> >> > >> >> Can you explain what kind of certificate (chain) you are trying to >> >> match? The given filter: >> >> >> >> *; o=ENIT >> >> >> >> would match bundles that have been signed by any certificate that has >> >> been signed by a CA that has a CN that _starts_ with o=ENIT. Not >> >> impossible but maybe not what you wanted? In case what you wanted to >> >> say is "if it is signed by a certificate that has o=ENIT in its CN >> >> then it should be: >> >> >> >> *, o=ENIT >> >> >> >> and if you want any certificate that has a CA that has o=ENIT >> >> somewhere in its CN then you should use: >> >> >> >> *;*,o=ENIT >> >> >> >> Again, please give some more information about your certificates. >> >> >> >> regards, >> >> >> >> Karl >> >> >> >> On Thu, Mar 26, 2009 at 6:17 PM, Omar MAHMOUD <[email protected]> >> >> wrote: >> >> > Hi All!! >> >> > >> >> > I'm working with OSGi security API under Felix. >> >> > I wanted to test 4 bundles: >> >> > >> >> > 1-a bundles that manages the permissions. >> >> > 2-RegisterService: a bundle that registers a service S. >> >> > 3-GoodBundle: a signed bundle that consumes S. >> >> > 4-MaliciousBundle: an unsigned bundles that attempts to consume S. >> >> > >> >> > I run Felix with run_felix.sh = *{java >> >> > -Dfelix.config.properties=file:lib/felix/conf/config.properties >> >> > -Dfelix.cache.profiledir=lib/felix/profile -Djava.security.manager >> >> > -Djava.security.policy=lib/all.policy >> >> -Dfelix.keystore=file:/home/me/myKS.ks >> >> > -Dfelix.keystore.pass=mypass -Dfelix.keystore.type=JKS -jar >> >> > lib/felix/felix.jar}* >> >> > >> >> > The problem is that my 'GoodBundle' cannot get the service! >> >> > >> >> > It worked well when I substitued: >> >> > >> >> > *{m_signed = condPermAdmin.addConditionalPermissionInfo(new >> >> ConditionInfo[]{ >> >> > new >> ConditionInfo(BundleSignerCondition.class.getName(), >> >> new >> >> > String[]{"* ; o=ENIT"}) >> >> > }, ALLPERMISSION_INFO); >> >> > } * >> >> > >> >> > by >> >> > *{m_signed = condPermAdmin.addConditionalPermissionInfo(new >> >> ConditionInfo[]{ >> >> > new >> ConditionInfo(BundleLocationCondition.class.getName(), >> >> > new String[]{context.getBundle(7).getLocation()}) >> >> > }, ALLPERMISSION_INFO); >> >> > }* (GoodBundle has id=7) >> >> > >> >> > >> >> > So I doubted that there is something wrong with Jarsigneing, but the >> >> command >> >> > : >> >> > >> >> > *{jarsigner -keystore /home/me/myKS.ks GoodBundle-1.0.jar myAlias}* >> >> > >> >> > returns tells me that there is nothing wrong with the signature and >> all >> >> the >> >> > fields appear as they are supposed to be. >> >> > >> >> > What might be the problem? >> >> > >> >> > Thank you very much in advance. >> >> > >> >> >> >> >> >> >> >> -- >> >> Karl Pauls >> >> [email protected] >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [email protected] >> >> For additional commands, e-mail: [email protected] >> >> >> >> >> > >> >> >> >> -- >> Karl Pauls >> [email protected] >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > -- Karl Pauls [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
