Well, to sign bundles you need the key. To verify bundles, you need the certificate.
regards, Karl On Fri, Mar 27, 2009 at 6:26 PM, Omar MAHMOUD <[email protected]> wrote: > The new keystore I've made is initially empty. > Is the fact of importing the cert file sufficient to let me sign bundles > with it? > Because I couldn't do that. > > regards > > 2009/3/27 Omar MAHMOUD <[email protected]> > >> yes, I updated the run_felix.sh file. >> >> >> >> 2009/3/27 Karl Pauls <[email protected]> >> >>> Did you try to use your new keystore with the imported cert to be the >>> keystore the framework uses (i.e., the -Dfelix.keystore)? >>> >>> regards, >>> >>> Karl >>> >>> On Fri, Mar 27, 2009 at 6:06 PM, Omar MAHMOUD <[email protected]> >>> wrote: >>> > ok,* >>> > * >>> > here is the output of the command (sorry for the frensh):* >>> > >>> > keytool -list -keystore /home/mycompany/keystoreHope.ks -alias >>> omarmahmoud >>> > Tapez le mot de passe du Keystore : >>> > omarmahmoud, 26 mars 2009, PrivateKeyEntry, >>> > Empreinte du certificat (MD5) : >>> > 1D:6A:97:3D:2A:6F:DB:20:2D:8D:CA:2A:42:5E:60:8C* >>> > >>> > I made a new empty keystore and imported the certificate into it:* >>> > >>> > *keytool -list -keystore keystoreA >>> > Tapez le mot de passe du Keystore : >>> > >>> > Type Keystore : JKS >>> > Fournisseur Keystore : SUN >>> > >>> > Votre Keystore contient 2 entrée(s) >>> > >>> > omar, 27 mars 2009, trustedCertEntry, >>> > Empreinte du certificat (MD5) : >>> > 1D:6A:97:3D:2A:6F:DB:20:2D:8D:CA:2A:42:5E:60:8C* >>> > >>> > but I couldn't signe my bundles with it: >>> > * >>> > jarsigner: Certificate chain not found for: omar. omar must reference a >>> > valid KeyStore key entry containing a private key and corresponding >>> public >>> > key certificate chain.* >>> > >>> > I really apreciate your help. >>> > >>> > Regards. >>> > >>> > >>> > >>> > 2009/3/27 Karl Pauls <[email protected]> >>> > >>> >> Well, it is a self signed cert then right? That is still ok but you >>> >> probably will have to export it and import it again into a different >>> >> keystore to make it trusted. Can you show me the verbose listing of >>> >> your keystore? >>> >> >>> >> regards, >>> >> >>> >> Karl >>> >> >>> >> On Fri, Mar 27, 2009 at 5:31 PM, Omar MAHMOUD <[email protected]> >>> >> wrote: >>> >> > no, I don't have a CA cert. I just made my cert via the keytool >>> command. >>> >> > Is a CA cert required? >>> >> > >>> >> > regards. >>> >> > >>> >> > 2009/3/27 Karl Pauls <[email protected]> >>> >> > >>> >> >> Did you add your CA cert to the keystore as trusted? >>> >> >> >>> >> >> regards, >>> >> >> >>> >> >> Karl >>> >> >> >>> >> >> On Fri, Mar 27, 2009 at 9:28 AM, Omar MAHMOUD <[email protected] >>> > >>> >> >> wrote: >>> >> >> > Thank you very much for your reply. >>> >> >> > >>> >> >> > I am signing my bundle with a keystore that I have created, and >>> which >>> >> >> > contains my school (organization field): ENIT. >>> >> >> > I tried with *, o=ENIT before and it doesn't work either. >>> >> >> > here is the output of jarsigner command: >>> >> >> > >>> >> >> > *jarsigner -keystore /home/mycompany/myKeystore.ks -verify >>> -verbose >>> >> >> -certs >>> >> >> > registerservice-1.0.jar >>> >> >> > >>> >> >> > 1386 Thu Mar 26 14:58:40 CET 2009 META-INF/MANIFEST.MF >>> >> >> > 880 Thu Mar 26 14:58:40 CET 2009 META-INF/OMARMAHM.SF >>> >> >> > 1035 Thu Mar 26 14:58:40 CET 2009 META-INF/OMARMAHM.DSA >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/ >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 META-INF/maven/ >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 >>> >> >> > META-INF/maven/com.mycompany.osgisecuritytuto/ >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 >>> >> META-INF/maven/com.**mycompany** >>> >> >> > .osgisecuritytuto/registerservice/ >>> >> >> > smk 148 Thu Mar 26 11:50:42 CET 2009 >>> >> >> META-INF/maven/com.**mycompany** >>> >> >> > .osgisecuritytuto/registerservice/pom.properties >>> >> >> > >>> >> >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, >>> >> ST=Nabeul, >>> >> >> > C=TN (omarmahmoud) >>> >> >> > [certificate will expire on 24/06/09 13:10] >>> >> >> > >>> >> >> > smk 1804 Wed Feb 25 11:37:58 CET 2009 >>> >> >> META-INF/maven/com.**mycompany** >>> >> >> > .osgisecuritytuto/registerservice/pom.xml >>> >> >> > >>> >> >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, >>> >> ST=Nabeul, >>> >> >> > C=TN (omarmahmoud) >>> >> >> > [certificate will expire on 24/06/09 13:10] >>> >> >> > >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 com/ >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany**/ >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** >>> >> >> > /osgisecuritytuto/ >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** >>> >> >> > /osgisecuritytuto/registerservice/ >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** >>> >> >> > /osgisecuritytuto/registerservice/iservice/ >>> >> >> > smk 243 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** >>> >> >> > /osgisecuritytuto/registerservice/iservice/GSMService.class >>> >> >> > >>> >> >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, >>> >> ST=Nabeul, >>> >> >> > C=TN (omarmahmoud) >>> >> >> > [certificate will expire on 24/06/09 13:10] >>> >> >> > >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 com/**mycompany** >>> >> >> > /osgisecuritytuto/registerservice/service/ >>> >> >> > smk 2307 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** >>> >> >> > /osgisecuritytuto/registerservice/service/Activator.class >>> >> >> > >>> >> >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, >>> >> ST=Nabeul, >>> >> >> > C=TN (omarmahmoud) >>> >> >> > [certificate will expire on 24/06/09 13:10] >>> >> >> > >>> >> >> > smk 677 Thu Mar 26 11:50:40 CET 2009 com/**mycompany** >>> >> >> > /osgisecuritytuto/registerservice/service/NokiaGSMImpl.class >>> >> >> > >>> >> >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, >>> >> ST=Nabeul, >>> >> >> > C=TN (omarmahmoud) >>> >> >> > [certificate will expire on 24/06/09 13:10] >>> >> >> > >>> >> >> > 0 Thu Mar 26 11:50:42 CET 2009 util/ >>> >> >> > smk 1617 Thu Mar 26 11:50:40 CET 2009 util/Util.class >>> >> >> > >>> >> >> > X.509, CN=Omar MAHMOUD, OU=TIC, O=ENIT, L=Beni Khalled, >>> >> ST=Nabeul, >>> >> >> > C=TN (omarmahmoud) >>> >> >> > [certificate will expire on 24/06/09 13:10] >>> >> >> > >>> >> >> > >>> >> >> > s = signature was verified >>> >> >> > m = entry is listed in manifest >>> >> >> > k = at least one certificate was found in keystore >>> >> >> > i = at least one certificate was found in identity scope >>> >> >> > >>> >> >> > jar verified. >>> >> >> > >>> >> >> > Warning: >>> >> >> > This jar contains entries whose signer certificate will expire >>> within >>> >> six >>> >> >> > months. * >>> >> >> > >>> >> >> > is there something wrong with the signature? >>> >> >> > >>> >> >> > Thank you very much for your help. >>> >> >> > Best regards. >>> >> >> > Omar MAHMOUD >>> >> >> > >>> >> >> > 2009/3/26 Karl Pauls <[email protected]> >>> >> >> > >>> >> >> >> Can you explain what kind of certificate (chain) you are trying >>> to >>> >> >> >> match? The given filter: >>> >> >> >> >>> >> >> >> *; o=ENIT >>> >> >> >> >>> >> >> >> would match bundles that have been signed by any certificate that >>> has >>> >> >> >> been signed by a CA that has a CN that _starts_ with o=ENIT. Not >>> >> >> >> impossible but maybe not what you wanted? In case what you wanted >>> to >>> >> >> >> say is "if it is signed by a certificate that has o=ENIT in its >>> CN >>> >> >> >> then it should be: >>> >> >> >> >>> >> >> >> *, o=ENIT >>> >> >> >> >>> >> >> >> and if you want any certificate that has a CA that has o=ENIT >>> >> >> >> somewhere in its CN then you should use: >>> >> >> >> >>> >> >> >> *;*,o=ENIT >>> >> >> >> >>> >> >> >> Again, please give some more information about your certificates. >>> >> >> >> >>> >> >> >> regards, >>> >> >> >> >>> >> >> >> Karl >>> >> >> >> >>> >> >> >> On Thu, Mar 26, 2009 at 6:17 PM, Omar MAHMOUD <mahmoud.om@ >>> gmail.com> >>> >> >> >> wrote: >>> >> >> >> > Hi All!! >>> >> >> >> > >>> >> >> >> > I'm working with OSGi security API under Felix. >>> >> >> >> > I wanted to test 4 bundles: >>> >> >> >> > >>> >> >> >> > 1-a bundles that manages the permissions. >>> >> >> >> > 2-RegisterService: a bundle that registers a service S. >>> >> >> >> > 3-GoodBundle: a signed bundle that consumes S. >>> >> >> >> > 4-MaliciousBundle: an unsigned bundles that attempts to consume >>> S. >>> >> >> >> > >>> >> >> >> > I run Felix with run_felix.sh = *{java >>> >> >> >> > -Dfelix.config.properties=file:lib/felix/conf/config.properties >>> >> >> >> > -Dfelix.cache.profiledir=lib/felix/profile >>> -Djava.security.manager >>> >> >> >> > -Djava.security.policy=lib/all.policy >>> >> >> >> -Dfelix.keystore=file:/home/me/myKS.ks >>> >> >> >> > -Dfelix.keystore.pass=mypass -Dfelix.keystore.type=JKS -jar >>> >> >> >> > lib/felix/felix.jar}* >>> >> >> >> > >>> >> >> >> > The problem is that my 'GoodBundle' cannot get the service! >>> >> >> >> > >>> >> >> >> > It worked well when I substitued: >>> >> >> >> > >>> >> >> >> > *{m_signed = condPermAdmin.addConditionalPermissionInfo(new >>> >> >> >> ConditionInfo[]{ >>> >> >> >> > new >>> >> >> ConditionInfo(BundleSignerCondition.class.getName(), >>> >> >> >> new >>> >> >> >> > String[]{"* ; o=ENIT"}) >>> >> >> >> > }, ALLPERMISSION_INFO); >>> >> >> >> > } * >>> >> >> >> > >>> >> >> >> > by >>> >> >> >> > *{m_signed = condPermAdmin.addConditionalPermissionInfo(new >>> >> >> >> ConditionInfo[]{ >>> >> >> >> > new >>> >> >> ConditionInfo(BundleLocationCondition.class.getName(), >>> >> >> >> > new String[]{context.getBundle(7).getLocation()}) >>> >> >> >> > }, ALLPERMISSION_INFO); >>> >> >> >> > }* (GoodBundle has id=7) >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > So I doubted that there is something wrong with Jarsigneing, >>> but >>> >> the >>> >> >> >> command >>> >> >> >> > : >>> >> >> >> > >>> >> >> >> > *{jarsigner -keystore /home/me/myKS.ks GoodBundle-1.0.jar >>> myAlias}* >>> >> >> >> > >>> >> >> >> > returns tells me that there is nothing wrong with the signature >>> and >>> >> >> all >>> >> >> >> the >>> >> >> >> > fields appear as they are supposed to be. >>> >> >> >> > >>> >> >> >> > What might be the problem? >>> >> >> >> > >>> >> >> >> > Thank you very much in advance. >>> >> >> >> > >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> -- >>> >> >> >> Karl Pauls >>> >> >> >> [email protected] >>> >> >> >> >>> >> >> >> >>> --------------------------------------------------------------------- >>> >> >> >> To unsubscribe, e-mail: [email protected] >>> >> >> >> For additional commands, e-mail: [email protected] >>> >> >> >> >>> >> >> >> >>> >> >> > >>> >> >> >>> >> >> >>> >> >> >>> >> >> -- >>> >> >> Karl Pauls >>> >> >> [email protected] >>> >> >> >>> >> >> >>> --------------------------------------------------------------------- >>> >> >> To unsubscribe, e-mail: [email protected] >>> >> >> For additional commands, e-mail: [email protected] >>> >> >> >>> >> >> >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> Karl Pauls >>> >> [email protected] >>> >> >>> >> --------------------------------------------------------------------- >>> >> To unsubscribe, e-mail: [email protected] >>> >> For additional commands, e-mail: [email protected] >>> >> >>> >> >>> > >>> >>> >>> >>> -- >>> Karl Pauls >>> [email protected] >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> > -- Karl Pauls [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
