Java Reference
In-Depth Information
Table 14.7
Certificate DN wildcard matching
(continued)
Case
Description
Arbitrary
attribute
wildcards
If a wildcard is used standalone, such as
*,O=baz,C=de
this matches any attributes coming before
o
and
c
, regardless of their name or value. For
the example, it's another way to match both of your certificates. This kind of wildcard can
also be combined with the previous:
*,O=baz,C=*
This also matches all certificates from the
baz
organization from any country.
Certificate
chain
wildcards
The attribute wildcard can be used in a certificate chain and behaves as described earlier,
but when used standalone it matches at most one certificate. For example:
*;CN=core,O=baz,C=de
This matches either a bundle signed by another certificate that was signed by your core cer-
tificate or a bundle signed directly by your core certificate. The hyphen wildcard matches
zero or more certificates:
-;CN=core,O=baz,C=de
This matches any bundle signed by your core certificate anywhere in the certificate chain.
The rules for certificate matching are also relevant to
AdminPermission
, discussed in
section 14.3.3. If you recall,
AdminPermission
accepts an
LDAP
filter over a limited
number of attributes to describe target bundles. The value for the
signer
attribute of
the
LDAP
filter is a
DN
matching expression.
ESTABLISHING TRUST
In addition to
DN
matching, a
BundleSignerCondition
will only match if all the cer-
tificates in the chain are trusted or are signed by a trusted certificate. Certificates are
trusted
when they're known by the
OSG
i framework. How do they become known?
Prior to
OSG
i R4.2 specification, this was implementation-specific; but now the
standard way is to specify keystores containing trusted certificates using the
org.osgi.framework.trust.repositories
framework configuration property. For
example:
org.osgi.framework.trust.repositories=\
/var/trust/keystore.jks:~/.cert/certs.jks
The value is a list of file paths, where the paths are separated by the system-specific
File.pathSeparator
. Each file path must point to a
JKS
keystore, which can't have a
password. The framework uses the keystores as trust repositories to authenticate certif-
icates of trusted signers. The stores must be used only as read-only trust repositories to
access public keys.
You should now understand how to use certificates to sign your bundles and grant
permissions based on the bundle signer. With that out of the way, let's look at how you
can use local permissions to know which permissions a bundle needs.
