Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Equinox » PKCS7Processor only trusts root CAs
PKCS7Processor only trusts root CAs [message #94583] Wed, 08 August 2007 13:05 Go to next message
Eclipse UserFriend
Originally posted by: beat.strasser.inventage.com

Hi there,

When installing new features (in RCP application, Eclipse 3.2.2), I'd like
to trust only signed JARs. The JARs are signed with a certificate A, and
the cert A is issued by the root CA B. So, subject != issuer in
certificate A.

I only like to trust A, so my keystore only contains the public cert A.

Now the org.eclipse.osgi.internal.verifier.PKCS7Processor looks
at the JAR's certificate chain and unfortunately picks the first
certificate where the subject equals the issuer. In my example this is the
root CA cert B. It's looked up in the keystore and is not found. The JAR
gets marked as untrusted.

Is there a reason why the subject must equal the issuer? This is only the
case for root CA's and I certainly don't want to add the root CA. So, is
this a bug or did I miss anything?

TIA,
Beat

Report message to a moderator

Re: PKCS7Processor only trusts root CAs [message #95306 is a reply to message #94583] Mon, 20 August 2007 16:39 Go to previous message
Eric W Li is currently offline Eric W LiFriend
Messages: 1
Registered: July 2009
Junior Member
Beat Strasser wrote:
> Hi there,
>
> When installing new features (in RCP application, Eclipse 3.2.2), I'd like
> to trust only signed JARs. The JARs are signed with a certificate A, and
> the cert A is issued by the root CA B. So, subject != issuer in
> certificate A.
>
> I only like to trust A, so my keystore only contains the public cert A.
>
> Now the org.eclipse.osgi.internal.verifier.PKCS7Processor looks
> at the JAR's certificate chain and unfortunately picks the first
> certificate where the subject equals the issuer. In my example this is the
> root CA cert B. It's looked up in the keystore and is not found. The JAR
> gets marked as untrusted.
>
> Is there a reason why the subject must equal the issuer? This is only the
> case for root CA's and I certainly don't want to add the root CA. So, is
> this a bug or did I miss anything?
>
> TIA,
> Beat

When checking the trust for the certificate chain, the
org.eclipse.osgi.internal.verifier.DefaultTrustAuthority only checks for
the root certificate. This is because most well-known CA roots reside
in the cacerts file. You can change this behavior by implementing the
org.eclipse.osgi.internal.provisional.verifier.CertificateTr ustAuthority
interface and register your custom CertificateTrustAuthority through
OSGI service.

-eric

Report message to a moderator

Previous Topic:Thread property in Extension-Point org.eclipse.core.runtime.applications
Next Topic:RESTful services
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Apr 20 04:56:06 GMT 2024

Powered by FUDForum. Page generated in 0.02939 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly