Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Equinox » PKCS7Processor only trusts root CAs
PKCS7Processor only trusts root CAs [message #94583] Wed, 08 August 2007 09:05 Go to next message
Eclipse UserFriend
Originally posted by: beat.strasser.inventage.com

Hi there,

When installing new features (in RCP application, Eclipse 3.2.2), I'd like
to trust only signed JARs. The JARs are signed with a certificate A, and
the cert A is issued by the root CA B. So, subject != issuer in
certificate A.

I only like to trust A, so my keystore only contains the public cert A.

Now the org.eclipse.osgi.internal.verifier.PKCS7Processor looks
at the JAR's certificate chain and unfortunately picks the first
certificate where the subject equals the issuer. In my example this is the
root CA cert B. It's looked up in the keystore and is not found. The JAR
gets marked as untrusted.

Is there a reason why the subject must equal the issuer? This is only the
case for root CA's and I certainly don't want to add the root CA. So, is
this a bug or did I miss anything?

TIA,
Beat
Re: PKCS7Processor only trusts root CAs [message #95306 is a reply to message #94583] Mon, 20 August 2007 12:39 Go to previous message
Eclipse UserFriend
Beat Strasser wrote:
> Hi there,
>
> When installing new features (in RCP application, Eclipse 3.2.2), I'd like
> to trust only signed JARs. The JARs are signed with a certificate A, and
> the cert A is issued by the root CA B. So, subject != issuer in
> certificate A.
>
> I only like to trust A, so my keystore only contains the public cert A.
>
> Now the org.eclipse.osgi.internal.verifier.PKCS7Processor looks
> at the JAR's certificate chain and unfortunately picks the first
> certificate where the subject equals the issuer. In my example this is the
> root CA cert B. It's looked up in the keystore and is not found. The JAR
> gets marked as untrusted.
>
> Is there a reason why the subject must equal the issuer? This is only the
> case for root CA's and I certainly don't want to add the root CA. So, is
> this a bug or did I miss anything?
>
> TIA,
> Beat

When checking the trust for the certificate chain, the
org.eclipse.osgi.internal.verifier.DefaultTrustAuthority only checks for
the root certificate. This is because most well-known CA roots reside
in the cacerts file. You can change this behavior by implementing the
org.eclipse.osgi.internal.provisional.verifier.CertificateTr ustAuthority
interface and register your custom CertificateTrustAuthority through
OSGI service.

-eric
Previous Topic:Thread property in Extension-Point org.eclipse.core.runtime.applications
Next Topic:RESTful services
Goto Forum:
  


Current Time: Sat May 10 11:46:04 EDT 2025

Powered by FUDForum. Page generated in 0.02380 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly