if you want to simplify you also have to simplify your dn on the certs. Just picking a part doesn't work. You would need to use wildcards for that (see the spec).
I think you need to convert your private key entry into a trusted cert entry: $ keytool -export -v -keystore keys.ks -alias aliasname -file aliasname.cert -storepass foobar -keypass barbaz $ keytool -import -v -keystore certificates.ks -alias aliasname.cert -file core.cert -storepass foobar -keypass barbaz regards, Karl On Thu, Jan 23, 2014 at 2:48 PM, felixandre <[email protected]>wrote: > Well, there was the missing comma, but I had also tried simplifying it as > much as possible (i.e.: > /[org.osgi.service.condpermadmin.BundleSignerCondition "O=xxx"]/) and > checking signer only with this field, but without success, that is no > authorization to the signed bundle. > Indeed, as a result of correcting the entire DN chain adding the missing > comma, has the weird effect of allowing also the not-signed bundle to read > and write! > > I tried the keytool command as you suggested and this is what I got: > > /Keystore type: JKS > Keystore provider : SUN > > The keystore has 1 entry > > aliasname, 16-gen-2014, PrivateKeyEntry, > fingerprint (SHA1): .../ > > The command I used to generate the Self-signed certificate is: > > /keytool -genkey -keyalg RSA -alias aliasname -keystore myks.jks -storepass > mypwd -validity 360 -keysize 2048/ > > and then I signed the bundles with the option of the Eclipse Export > procedure. > > Andrea > > (could you, please, mask the DN chain fields in the quoted post? I forgot > to > do it in one post :-| ) > > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/Problem-with-Felix-security-and-bundle-policies-tp5006903p5006955.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Karl Pauls [email protected] http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
