FUSE ESB
  1. FUSE ESB
  2. ESB-1734

No error log if the certificate is not valid

    Details

    • Type: Enhancement Enhancement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Similar Issues:
      Show 8 results 

      Description

      If bundles are signed with an invalid or already expired certificate the certificate will be revoked but there is no log entry because it's not implemented.

      See TODO in
      org/apache/felix/framework/security/verifier/BundleDNParser.java line 445 which catches the CertificateException without any logging.

      417     private void getRootChains(Certificate[] certificates, List chains,
      418         boolean check)
      419     {
      420         List chain = new ArrayList();
      421 
      422         boolean revoked = false;
      423 
      424         for (int i = 0; i < certificates.length - 1; i++)
      425         {
      426             X509Certificate certificate = (X509Certificate) certificates[i];
      427 
      428             if (!revoked && isRevoked(certificate))
      429             {
      430                 revoked = true;
      431             }
      432             if (!check || !revoked)
      433             {
      434                 try
      435                 {
      436                     if (check)
      437                     {
      438                         certificate.checkValidity();
      439                     }
      440 
      441                     chain.add(certificate);
      442                 }
      443                 catch (CertificateException ex)
      444                 {
      445                     // TODO: log this or something
      446                     revoked = true;
      447                 }
      448             }

      It's hard to find the problem why a BundleSignerCondition is not applied to your bundle when nobody tells you that the certificate of your bundle was revoked.

      We should add an error log and print appropriate logging to tell user what's happening here.

        Gliffy Diagrams

          Activity

          Hide
          Guillaume Nodet added a comment -

          This issue should now be fixed with FELIX-3604 being resolved.

          Show
          Guillaume Nodet added a comment - This issue should now be fixed with FELIX-3604 being resolved.
          Hide
          Guillaume Nodet added a comment -

          Fixed in 4.4 and 7.0 branches

          Show
          Guillaume Nodet added a comment - Fixed in 4.4 and 7.0 branches

            People

            • Assignee:
              Guillaume Nodet
              Reporter:
              Joe Luo
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: