Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 311968 - [engine] Only one trust engine is checked to determine trusted signer.
Summary: [engine] Only one trust engine is checked to determine trusted signer.
Status: RESOLVED FIXED
Alias: None
Product: Equinox
Classification: Eclipse Project
Component: p2 (show other bugs)
Version: 3.6   Edit
Hardware: PC Mac OS X - Carbon (unsup.)
: P3 normal (vote)
Target Milestone: 3.6 RC1   Edit
Assignee: John Arthorne CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-06 16:14 EDT by Thomas Watson CLA
Modified: 2010-05-07 15:17 EDT (History)
2 users (show)

See Also:
john.arthorne: review+

Attachments
patch (8.88 KB, patch)
2010-05-06 16:22 EDT, Thomas Watson CLA 		no flags Details | Diff
patch (6.95 KB, patch)
2010-05-06 16:27 EDT, Thomas Watson CLA 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Watson CLA 2010-05-06 16:14:59 EDT 
I was testing out a workaround for bug309059 that involved setting the osgi configuration property org.osgi.framework.trust.repositories to point to a local keystore that contained the root certificate used by the foundation to sign jars.

Basically I set the property to an older 1.5 sun VM cacerts that contains the necessary trusted root certificate for the Eclipse jars.  This causes the framework to register another TrustEngine service that can be used to establish trust for signers.  This issue is the p2 engine only gets a single TrustEngine service when checking for trust.  By default, it will always get the first TrustEngine registered (unless someone uses a higher service ranking).  The first one registered is for the cacerts of the running VM.  If on the latest 1.5 or 1.6 Sun/Oracle VMs then this cacerts does not contain the necessary cert.

Looking at the CertificateChecker code it seems that it should depend on the SignerInfo.isTrusted() method to determine trust.  This allows the framework to determine the trust, and the framework does check all registered trust engines.  The CertificateChecker is also attempting to save the decision of the user to trust a particular certificate.  This code also has some issues, it needs to first check if the TrustEngine is read-only.

I will attach a patch that fixes this.
Comment 1 Thomas Watson CLA 2010-05-06 16:22:44 EDT 
Created attachment 167388 [details]
patch

And here is the patch.
Comment 2 Thomas Watson CLA 2010-05-06 16:23:59 EDT 
I had discussed this with John yesterday.  John, could you review this patch.  I think it is rather important to get a workaround for bug309059.
Comment 3 Thomas Watson CLA 2010-05-06 16:27:05 EDT 
Created attachment 167391 [details]
patch

Sorry, the last patch was not a workspace patch.  Here is a full patch.
Comment 4 John Arthorne CLA 2010-05-06 17:54:35 EDT 
I'll take this for review.
Comment 5 John Arthorne CLA 2010-05-07 15:17:36 EDT 
This patch looks good. I tested with this repository that contains untrusted software with self-signed certs:

http://eclipse.org/equinox/p2/testing/selfsignedsite

We don't currently have any writable trust engines so it's hard to verify that part. However the only difference in this patch is that we persist trust to *all* writable trust engines rather than the first one we find.