Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[equinox-dev] Bundle Verification using custom TrustEngine

Hello,
I am trying to use the signed content functionality in equinox to verify
all bundles at load time.
After patching Eclipse 3.4 org.eclipse.osgi system bundle to include the
patch (https://bugs.eclipse.org/bugs/show_bug.cgi?id=252098)
I am able to this out of the box using the following properties:
 -Dosgi.signedcontent.support=all
 -Dosgi.clean=true
 -Dosgi.signedcontent.authorization.engine.policy=validity
 -Dosgi.framework.keystore=file:/C:/myData/myKeystore
with a local keystore. All jars are signed in the exported product
plugin
directory, so eclipse jars are signed (at least) twice, and my custom
ones once.
This seems to work fine now (I did a couple of tests replacing signed
jars with unsigned ones etc...).

My aim is to use a custom trust engine to be able to verify certificate
trust independent of a local keystore.
This is not working. Trying to track down why, I am using a copy of
KeyStoreTrustEngine named CECKeyStoreTrustEngine. This Class is
registered via a custom Adaptor Hook as an osgi service. I have
confirmed
that the service is registered and started via sysout and use the
following
properties to activate it:
 -Dosgi.signedcontent.trust.engine=CECKeyStoreTrustEngine
 -Dosgi.framework.extensions=cec.bundleverifier        (the custom hook
package)

Using this setup the application generates an exception:
 org.osgi.framework.BundleException: The bundle could not be resolved.
Reason: The bundle is disabled: "org.eclipse.equinox.security:null"

When I remove the Property 'osgi.signedcontent.trust.engine' all
TrustEngines are called and the verification works again.

My Question is: Why does the KeyStoreTrustEngine registerd from the
SignedBundleHook work, but the same copy from my own hook fails ?

Thanks
David Luebbren



Back to the top