Java Reference
In-Depth Information
the bundle. On the other hand, the following won't match a bundle if it was signed by
the core certificate:
ACCEPT {
[org.osgi.service.condpermadmin.BundleSignerCondition
"CN=core,O=baz,C=de" "!"]
...
}
The DN matching expression in these two examples illustrates how simple DN match-
ing can be. It can also be sophisticated, because it supports various flavors of wildcard
matching. We'll describe that next.
DISTINGUISHED NAME MATCHING DETAILS
You saw that a DN is composed of multiple attributes, like country, organization, and
common name. When performing DN matching, you're matching against these attri-
butes using a comma-delimited list, such as what you saw earlier with CN=core,
O=baz,C=de to match the core certificate. Additionally, because certificates can be
signed by other certificates, you can match against the other certificates in the chain: you
delimit different certificates with a semicolon.
To match certificates in a chain, use DN matching expressions against the DN asso-
ciated with each certificate you're trying to match. For example, consider the follow-
ing DN matching expression:
CN=extensions,O=bar,C=fr;CN=core,O=baz,C=de
This matches a bundle that was signed by the bar organization from France using its
extensions certificate, which was signed by your core certificate. You need to under-
stand two important points about chain matching:
Matching occurs naturally against the most specific certificate. Certificates fur-
ther up the chain that aren't mentioned are ignored.
Order is important, because reversing it indicates the opposite signing
relationship.
When you match certificate chains, you're specifying an interest from the most spe-
cific certificate of the chain onward.
Both attribute matching and certificate chain matching support wildcards, but the
rules for comparison are more complicated than string-based wildcard matching. The
different cases are described in table 14.7.
Table 14.7
Certificate DN wildcard matching
Case
Description
Specific
attribute
wildcards
If a wildcard is used as part of the right-hand argument of an attribute, such as
CN=*,O=baz,C=de
this matches either of the two certificates (core and third-party). You can also use a wild-
card for more than one attribute:
CN=*,O=baz,C=*
This matches any certificate from the baz organization from any country.
 
Search WWH ::




Custom Search