Java Reference
In-Depth Information
the bundle. On the other hand, the following won't match a bundle if it was signed by
the core certificate:
ACCEPT {
[org.osgi.service.condpermadmin.BundleSignerCondition
"CN=core,O=baz,C=de" "!"]
...
}
The
DN
matching expression in these two examples illustrates how simple
DN
match-
ing can be. It can also be sophisticated, because it supports various flavors of wildcard
matching. We'll describe that next.
DISTINGUISHED NAME MATCHING DETAILS
You saw that a
DN
is composed of multiple attributes, like country, organization, and
common name. When performing
DN
matching, you're matching against these attri-
butes using a comma-delimited list, such as what you saw earlier with
CN=core,
O=baz,C=de
to match the core certificate. Additionally, because certificates can be
signed by other certificates, you can match against the other certificates in the chain: you
delimit different certificates with a semicolon.
To match certificates in a chain, use
DN
matching expressions against the
DN
asso-
ciated with each certificate you're trying to match. For example, consider the follow-
ing
DN
matching expression:
CN=extensions,O=bar,C=fr;CN=core,O=baz,C=de
This matches a bundle that was signed by the
bar
organization from France using its
extensions certificate, which was signed by your core certificate. You need to under-
stand two important points about chain matching:
■
Matching occurs naturally against the most specific certificate. Certificates fur-
ther up the chain that aren't mentioned are ignored.
■
Order is important, because reversing it indicates the opposite signing
relationship.
When you match certificate chains, you're specifying an interest from the most spe-
cific certificate of the chain onward.
Both attribute matching and certificate chain matching support wildcards, but the
rules for comparison are more complicated than string-based wildcard matching. The
different cases are described in table 14.7.
Table 14.7
Certificate DN wildcard matching
Case
Description
Specific
attribute
wildcards
If a wildcard is used as part of the right-hand argument of an attribute, such as
CN=*,O=baz,C=de
this matches either of the two certificates (core and third-party). You can also use a wild-
card for more than one attribute:
CN=*,O=baz,C=*
This matches any certificate from the
baz
organization from any country.