[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Signed bundles

Hello Matt,

First of all, thanks for your reply!

On Feb 4, 2008, at 23:30 , Matt Flaherty wrote:

You can enable the signature verification system by setting the system property "osgi.signature.support.verify" to true. Equinox uses the system property, "osgi.framework.keystore" to look in a keystore of type JKS to find additional trusted certificates beyond those in the JRE's cacerts file. You don't need the alias or a password for the alias.

So, reiterating, if I want to run Equinox with OSGi security enabled and have it use my own keystore, I have to start it like this (formatted a bit for clarity, but typed as one big line):

java
  -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager
  -Djava.security.policy=policy
  -Dosgi.framework.keystore=keystore
  -Dosgi.signature.support.verify=true 
  -jar org.eclipse.osgi_3.4.0.v20071207.jar
  -console
  -consoleLog

Basically, I'm asking how Equinox is being run to be compliant with OSGi security.

I'm still experiencing problems with PermissionAdmin, but I'll explain that in a separate post because I think I might have run into a bug now.

The code that actually does the legwork of verifying the signatures over jarfiles was a provisional API formerly known as the JarVerifier - we've recently refactored it and established a supported API for signed content. Take a look in security/src in org.eclipse.osgi for the API. Some of these properties will be getting new osgi.signedcontent.* enablers with the new API, and we've also added support for disabling entire bundles based on the signer and a pluggable authentiation and authorization mechanism.

Thanks for the background information. At the moment, my interest is purely in OSGi security, I'm assuming that the API you describe is an extension to that?

Not well documented yet, but I'll take care of that shortly: https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765

I've subscribed to that one, thanks.

-matt

---
Matt Flaherty
Security Project Lead, Lotus Notes & Eclipse Equinox
External:
http://www.eclipse.org/equinox/incubator/security/
Internal:
https://cs.opensource.ibm.com/projects/eclipsesec/

equinox-dev-bounces@xxxxxxxxxxx wrote on 01/30/2008 08:54:46 AM:

> After succeeding in getting Equinox to run with security on, I'm now  
> experimenting with signed bundles. First I made a new keystore, using  
> the standard java "keytool", like this:
>
> keytool -genkey -alias myalias -keystore keystore
>
> I created a bundle using Eclipse's PDE, and used the "Export" function  
> to create a signed bundle, pointing to my freshly created keystore,  
> specifying the alias and password.
>
> Now my question is, how do I configure equinox to use my keystore? I  
> want to use it in combination with PermissionAdmin and an  
> AdminPermission that filters on the signer (using a condition like  
> "(signer=\*, o=mycompany)"). All I can find is documentation on how to  
> use the jarverifier (
http://dev.eclipse.org/viewcvs/indextech.cgi/
> equinox-home/security/verifier.html
> ) which states I can use a "osgi.framework.keystore" property to point  
> to my store. What I don't know is:
>   a) do I need this jarverifier at all? I am assuming that just  
> starting equinox with security should be enough;
>   b) is that property also applicable if you're not using the  
> jarverifier?
>   c) how do I specify alias and password for the store?
>
> Any pointers to information about this would be nice too! :)
>
> Greetings, Marcel
>
> _______________________________________________
> equinox-dev mailing list
> equinox-dev@xxxxxxxxxxx
>
https://dev.eclipse.org/mailman/listinfo/equinox-dev
_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev