ok,* * here is the output of the command (sorry for the frensh):* keytool -list -keystore /home/mycompany/keystoreHope.ks -alias omarmahmoud Tapez le mot de passe du Keystore : omarmahmoud, 26 mars 2009, PrivateKeyEntry, Empreinte du certificat (MD5) : 1D:6A:97:3D:2A:6F:DB:20:2D:8D:CA:2A:42:5E:60:8C*
I made a new empty keystore and imported the certificate into it:* *keytool -list -keystore keystoreA Tapez le mot de passe du Keystore : Type Keystore : JKS Fournisseur Keystore : SUN Votre Keystore contient 2 entrée(s) omar, 27 mars 2009, trustedCertEntry, Empreinte du certificat (MD5) : 1D:6A:97:3D:2A:6F:DB:20:2D:8D:CA:2A:42:5E:60:8C* but I couldn't signe my bundles with it: * jarsigner: Certificate chain not found for: omar. omar must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.* I really apreciate your help. Regards. 2009/3/27 Karl Pauls <[email protected]> > Well, it is a self signed cert then right? That is still ok but you > probably will have to export it and import it again into a different > keystore to make it trusted. Can you show me the verbose listing of > your keystore? > > regards, > > Karl > > On Fri, Mar 27, 2009 at 5:31 PM, Omar MAHMOUD <[email protected]> > wrote: > > no, I don't have a CA cert. I just made my cert via the keytool command. > > Is a CA cert required? > > > > regards. > > > > 2009/3/27 Karl Pauls <[email protected]> > > > >> Did you add your CA cert to the keystore as trusted? > >> > >> regards, > >> > >> Karl > >> > >> On Fri, Mar 27, 2009 at 9:28 AM, Omar MAHMOUD <[email protected]> > >> wrote: > >> > Thank you very much for your reply. > >> > > >> > I am signing my bundle with a keystore that I have created, and which > >> > contains my school (organization field): ENIT. > >> > I tried with *, o=ENIT before and it doesn't work either. > >> > here is the output of jarsigner command: > >> > > >> > *jarsigner -keystore /home/mycompany/myKeystore.ks -verify -verbose > >> -certs > >> > registerservice-1.0.jar > >> > > >> > 1386 Thu Mar 26 14:58:40 CET 2009 META-INF/MANIFEST.MF > >> > 880 Thu Mar 26 14:58:40 CET 2009 META-INF/OMARMAHM.SF > >> > 1035 Thu Mar 26 14:58:40 CET 2009 META-INF/OMARMAHM.DSA > >> > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/ > >> > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/maven/ > >> > 0 Thu Mar 26 11:50:42 CET 2009 > >> > META-INF/maven/com.mycompany.osgisecuritytuto/ > >> > 0 Thu Mar 26 11:50:42 CET 2009 > META-INF/maven/com.**mycompany** > >> > .osgisecuritytuto/registerservice/ > >> > smk 148 Thu Mar 26 11:50:42 CET 2009 > >> META-INF/maven/com.**mycompany** > >> > .osgisecuritytuto/registerservice/pom.properties > >> > > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, > ST=Nabeul, > >> > C=TN (omarmahmoud) > >> > [certificate will expire on 24/06/09 13:10] > >> > > >> > smk 1804 Wed Feb 25 11:37:58 CET 2009 > >> META-INF/maven/com.**mycompany** > >> > .osgisecuritytuto/registerservice/pom.xml > >> > > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, > ST=Nabeul, > >> > C=TN (omarmahmoud) > >> > [certificate will expire on 24/06/09 13:10] > >> > > >> > 0 Thu Mar 26 11:50:42 CET 2009 com/ > >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany**/ > >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** > >> > /osgisecuritytuto/ > >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** > >> > /osgisecuritytuto/registerservice/ > >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** > >> > /osgisecuritytuto/registerservice/iservice/ > >> > smk 243 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** > >> > /osgisecuritytuto/registerservice/iservice/GSMService.class > >> > > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, > ST=Nabeul, > >> > C=TN (omarmahmoud) > >> > [certificate will expire on 24/06/09 13:10] > >> > > >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** > >> > /osgisecuritytuto/registerservice/service/ > >> > smk 2307 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** > >> > /osgisecuritytuto/registerservice/service/Activator.class > >> > > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, > ST=Nabeul, > >> > C=TN (omarmahmoud) > >> > [certificate will expire on 24/06/09 13:10] > >> > > >> > smk 677 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** > >> > /osgisecuritytuto/registerservice/service/NokiaGSMImpl.class > >> > > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, > ST=Nabeul, > >> > C=TN (omarmahmoud) > >> > [certificate will expire on 24/06/09 13:10] > >> > > >> > 0 Thu Mar 26 11:50:42 CET 2009 util/ > >> > smk 1617 Thu Mar 26 11:50:40 CET 2009 util/Util.class > >> > > >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, > ST=Nabeul, > >> > C=TN (omarmahmoud) > >> > [certificate will expire on 24/06/09 13:10] > >> > > >> > > >> > s = signature was verified > >> > m = entry is listed in manifest > >> > k = at least one certificate was found in keystore > >> > i = at least one certificate was found in identity scope > >> > > >> > jar verified. > >> > > >> > Warning: > >> > This jar contains entries whose signer certificate will expire within > six > >> > months. * > >> > > >> > is there something wrong with the signature? > >> > > >> > Thank you very much for your help. > >> > Best regards. > >> > Omar MAHMOUD > >> > > >> > 2009/3/26 Karl Pauls <[email protected]> > >> > > >> >> Can you explain what kind of certificate (chain) you are trying to > >> >> match? The given filter: > >> >> > >> >> *; o=ENIT > >> >> > >> >> would match bundles that have been signed by any certificate that has > >> >> been signed by a CA that has a CN that _starts_ with o=ENIT. Not > >> >> impossible but maybe not what you wanted? In case what you wanted to > >> >> say is "if it is signed by a certificate that has o=ENIT in its CN > >> >> then it should be: > >> >> > >> >> *, o=ENIT > >> >> > >> >> and if you want any certificate that has a CA that has o=ENIT > >> >> somewhere in its CN then you should use: > >> >> > >> >> *;*,o=ENIT > >> >> > >> >> Again, please give some more information about your certificates. > >> >> > >> >> regards, > >> >> > >> >> Karl > >> >> > >> >> On Thu, Mar 26, 2009 at 6:17 PM, Omar MAHMOUD <[email protected]> > >> >> wrote: > >> >> > Hi All!! > >> >> > > >> >> > I'm working with OSGi security API under Felix. > >> >> > I wanted to test 4 bundles: > >> >> > > >> >> > 1-a bundles that manages the permissions. > >> >> > 2-RegisterService: a bundle that registers a service S. > >> >> > 3-GoodBundle: a signed bundle that consumes S. > >> >> > 4-MaliciousBundle: an unsigned bundles that attempts to consume S. > >> >> > > >> >> > I run Felix with run_felix.sh = *{java > >> >> > -Dfelix.config.properties=file:lib/felix/conf/config.properties > >> >> > -Dfelix.cache.profiledir=lib/felix/profile -Djava.security.manager > >> >> > -Djava.security.policy=lib/all.policy > >> >> -Dfelix.keystore=file:/home/me/myKS.ks > >> >> > -Dfelix.keystore.pass=mypass -Dfelix.keystore.type=JKS -jar > >> >> > lib/felix/felix.jar}* > >> >> > > >> >> > The problem is that my 'GoodBundle' cannot get the service! > >> >> > > >> >> > It worked well when I substitued: > >> >> > > >> >> > *{m_signed = condPermAdmin.addConditionalPermissionInfo(new > >> >> ConditionInfo[]{ > >> >> > new > >> ConditionInfo(BundleSignerCondition.class.getName(), > >> >> new > >> >> > String[]{"* ; o=ENIT"}) > >> >> > }, ALLPERMISSION_INFO); > >> >> > } * > >> >> > > >> >> > by > >> >> > *{m_signed = condPermAdmin.addConditionalPermissionInfo(new > >> >> ConditionInfo[]{ > >> >> > new > >> ConditionInfo(BundleLocationCondition.class.getName(), > >> >> > new String[]{context.getBundle(7).getLocation()}) > >> >> > }, ALLPERMISSION_INFO); > >> >> > }* (GoodBundle has id=7) > >> >> > > >> >> > > >> >> > So I doubted that there is something wrong with Jarsigneing, but > the > >> >> command > >> >> > : > >> >> > > >> >> > *{jarsigner -keystore /home/me/myKS.ks GoodBundle-1.0.jar myAlias}* > >> >> > > >> >> > returns tells me that there is nothing wrong with the signature and > >> all > >> >> the > >> >> > fields appear as they are supposed to be. > >> >> > > >> >> > What might be the problem? > >> >> > > >> >> > Thank you very much in advance. > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Karl Pauls > >> >> [email protected] > >> >> > >> >> --------------------------------------------------------------------- > >> >> To unsubscribe, e-mail: [email protected] > >> >> For additional commands, e-mail: [email protected] > >> >> > >> >> > >> > > >> > >> > >> > >> -- > >> Karl Pauls > >> [email protected] > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> > > > > > > -- > Karl Pauls > [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
