[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] TrustEngine and other security services

If you need an example that is publicly available, the Apache Directory Studio plugin is signed with an Apache certificate that shows up as untrusted when I attempt to install it:

http://directory.apache.org/studio/update/1.x/

On Eclipse 4.2, the pop-up window asking to trust easily gets hidden and can't be called back again, which means that the installation of that (and anything else in the same provisioning operation) fails. 

Alex

On 3 Jan 2013, at 14:55, John Arthorne wrote:

I really don't remember the details here. I suspect once we got all Eclipse projects signing with a real cert verified by an authority trusted by the JVM, this wasn't a big issue for us. In the end, asking an end user to make a trust decision on a self-signed or unverified cert is silly anyway. There is no way an end user could make an informed trust decision based on that information, and if we did persist the decision, it would essentially be "I know it's not trusted but please stop asking me". It looks like KeyStoreTrustEngine registered by the framework is capable of persisting changes though, if the system is configured properly. If Scott or anyone else is interested in the trust persistence aspect I suggest opening a bug and we go from there.

John



From:        Thomas Watson <tjwatson@xxxxxxxxxx>
To:        Equinox development mailing list <equinox-dev@xxxxxxxxxxx>,
Date:        01/02/2013 10:20 AM
Subject:        Re: [equinox-dev] TrustEngine and other security services
Sent by:        equinox-dev-bounces@xxxxxxxxxxx




Thanks John,

I see that the code you mention does use a TrustEngine to attempt to persist newly trusted certificates.  But I wonder if there are any implementations of the TrustEngine service that are not read-only.  The framework registers a built-in TrustEngine that is backed by the CA certs that are configured with the VM but this TrustEngine is read-only.

Tom



<Mail Attachment.gif>John Arthorne ---01/02/2013 08:43:48 AM---p2 uses the TrustEngine to persist newly trusted certificates after  prompting the user. See org.ecl

From:
John Arthorne <John_Arthorne@xxxxxxxxxx>
To:
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>,
Date:
01/02/2013 08:43 AM
Subject:
Re: [equinox-dev] TrustEngine and other security services
Sent by:
equinox-dev-bounces@xxxxxxxxxxx




p2 uses the TrustEngine to persist newly trusted certificates after prompting the user. See
org.eclipse.equinox.internal.p2.engine.phases.CertificateChecker.

http://git.eclipse.org/c/equinox/rt.equinox.p2.git/tree/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java

John




From:        
Thomas Watson <tjwatson@xxxxxxxxxx>
To:        
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>,
Date:        
01/02/2013 09:28 AM
Subject:        
Re: [equinox-dev] TrustEngine and other security services
Sent by:        
equinox-dev-bounces@xxxxxxxxxxx




The TrustEngine is largely used as an implementation detail behind the org.eclipse.osgi.signedcontent package.  OSGi services published with using the org.eclipse.osgi.service.security.TrustEngine interface are used to determine the authenticity of a certificate chain used to sign content (jars, bundles etc.).  I did not remember p2 using the TrustEngine directly, but perhaps it does for authenticating other types of certificates.

Sorry, other than the javadoc published for the packages there is not a lot of documentation here.

Tom




<Mail Attachment.gif>Pascal Rapicault ---12/29/2012 03:51:46 AM---The p2 engine makes use of the TrustEngine, however I don't remember the details of how it works. Yo

From:
Pascal Rapicault <pascal@xxxxxxxxxxxxx>
To:
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>,
Date:
12/29/2012 03:51 AM
Subject:
Re: [equinox-dev] TrustEngine and other security services
Sent by:
equinox-dev-bounces@xxxxxxxxxxx




The p2 engine makes use of the TrustEngine, however I don't remember the details of how it works.
You may also want to poke around at other parts of p2 as I just happen to remember about this ref in the engine, but there may be others.

HTH

Pascal

On 2012-12-29, at 5:47 AM, Scott Lewis wrote:

> Hello,
>
> Is there documentation on Equinox security services like org.eclipse.osgi.service.security.TrustEngine service...and implementation?  I looked in the Equinox Security area [1], but didn't find a lot of service/API docs.   Is/are there examples of using the TrustEngine service(s)?
>
> Thanks,
>
> Scott
>
>
>
> _______________________________________________
> equinox-dev mailing list
> equinox-dev@xxxxxxxxxxx
>
https://dev.eclipse.org/mailman/listinfo/equinox-dev

_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx

https://dev.eclipse.org/mailman/listinfo/equinox-dev

_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx

https://dev.eclipse.org/mailman/listinfo/equinox-dev
_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx

https://dev.eclipse.org/mailman/listinfo/equinox-dev
_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev

_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev