This document discusses the features of the Certificate Manager service of the System Bundle for checking the validity and trust of certificates against a certificate database.
The Certificate Manager service a utility which other modules can use to compare the validity of particular signer certificates with those saved in a storage of trusted certificates. For example, the Certificate Manager is used when checking if a deployment package in terms of the OSGi Mobile Specification is signed by a trusted signer.
The interface of the Certificate Manager service is com.prosyst.mbs.framework.certmanager.CertificateManager and it is registered by the System Bundle. The Certificate Manager service is available only if the mbs.certificates system property is true (false by default).
The service offers methods for getting the distinguished names (DNs) of the owners whose certificates are saved in the database, for getting only the trusted certificate chains in a collection of certificate chains (e.g. the certificate chains used to sign a bundle JAR file), for checking if a certificate is trusted and if a certificate is available in the trusted storage, and for matching the subject DN of a bundle's certificate against a certain DN pattern.
The Certificate Manager service gets the trusted certificates of a specific bundle, represented as an input stream. The other certificate operations are based on a certificate storage, built on top of a specific certificate store type.
You can use one of the following certificate storages for trusted certificates:
java.home system property). policy.url.X properties in the security properties file (default is lib/security/java.security from the JVM home directory). In each specified policy file, the keystore storage checks if the policy has a keystore entry, and if such exists, the storage loads the certificates from the specified keystore location. For information about key and certificate management in Java, refer to the "Java 2 Security Architecture" document.
mbs.keystore.class system property to com.prosyst.mbs.impl.framework.module.certmanager.certstorage.FolderCertificateStorageImpl. You can add a certificate or a certificate chain to the Certificate Manager, import it in the used storage - keystore storage or X509 storage.
Simply import the certificate or certificate chain in the appropriate keystore by using the tools (e.g. keytool in JDK) supplied with the JVM installation. Then, start the framework, or if the framework has been running during the certificate import, restart it to apply the changes to the Certificate Manager.
Place your certificates in a dedicated directory and specify the path to it by using mbs.certificate.root system property. By default, if the mbs.certificate.root property is missing, the X509 storage will look into a folder, called certs, within the user's home directory (indicated with the user.home system property). Then, start the framework, or if the framework has been running during the certificate import, restart it to apply the changes to the Certificate Manager.
When a signed bundle is deployed, besides signer trust its signature is checked against contained digests. By default, once digests of signed bundle JAR files are verified they are not re-checked when the framework is restarted. To enable digest checks on framework restarts, set the mbs.certificates.boot.enableDigests system property to true (default is false).
Another option for configuration of signature digest checks is to have the entry digests verified only when the corresponding entry is requested by some bundle in the framework. Otherwise, the digest verification will be performed when the bundle is loaded at installation or at framework startup if already installed. To enable on-demand digest checking, set the mbs.certificates.delayedCheckJarEntriesDigests system property to true (false by default).
It is possible to implement your own mechanism for storing certificates as a Certificate Manager. Implement the com.prosyst.mbs.framework.certmanager.CertificateManager interface, and specify the implementation class as value to the system property mbs.certificates.impl prior to launching the framework.