[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] keystores and signature recognition

Thanks Tom! I got it working fine now.

I did the following simple tests for corrupted signed content:
Signed a jar with my keystore then I added a new .class to its jar file.
My test was to install it with both installBundle()(via the shell) and in another test via p2 repository where I published the corrupt jar without errors.
Both ways installed the bundle just fine and I can consume its added class from other bundles.
Also that bundle starts/activates just fine.

I noticed that adding -Dosgi.signedcontent.support="runtime" as a startup parameter helps and when I try to consume my new class in the corrupt jar I get " java.lang.SecurityException: Corrupted file: the digest does not exist for the file test/UnsignedFile.class"
If I try to change an already signed class I got a ClassNotFoundException (I tried with the Activator).
I assumed these are all expected.

Finally, the questions :-) 
1. Just for information, can I prevent installing corrupted jars via installBundle() or p2 and how?
2. Can you clarify the expected behavior(and use cases) of the "osgi.signedcontent.support" property and its values (certificate, runtime, trust, authority, all)? Also how do TrustEngines, TrustAnchors and KeyStoreTrustEngines fit in the picture? I read the "eclipse runtime options" page but it just suggest how to use the properties, not what they do or the use case they cover.

Thank you,
Borislav


-----Original Message-----
From: equinox-dev-bounces@xxxxxxxxxxx [mailto:equinox-dev-bounces@xxxxxxxxxxx] On Behalf Of Thomas Watson
Sent: Friday, December 09, 2011 9:53 PM
To: Equinox development mailing list
Subject: Re: [equinox-dev] keystores and signature recognition

I don't think you should have to provide the option
osgi.signedcontent.support="runtime" to enable the BundleSignerCondition to
work.  My guess is there is something wrong with the condition you set and
matching it to the signer you used to sign your bundles.  If you are able
to you should try stepping through
org.osgi.service.condpermadmin.BundleSignerCondition.getCondition(Bundle,
ConditionInfo) to see if your condition is matching the bundles you have
signed.

For your scenario I think you want two rows in the condition table:

Allow {
	[org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST" ]
	( java.security.AllPermission â*â â*â )
} "SignedByTest"

Allow {
	[org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST"  !]
	.... // set of permissions for all other bundles
} "AllOthers"

Make sure you are using
org.osgi.service.condpermadmin.ConditionalPermissionUpdate so you can add
the two rows as an atomic operation so that both rows take effect at the
same time.

Tom




|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |"Kapukaranov, Borislav" <borislav.kapukaranov@xxxxxxx>                                                                                            |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Equinox development mailing list <equinox-dev@xxxxxxxxxxx>,                                                                                       |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |12/09/2011 10:00 AM                                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |[equinox-dev] keystores and signature recognition                                                                                                 |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|





Hi,

Iâve been trying Equinoxâs Conditional Permission Admin and canât get it to
run with signed bundles.
Iâve seen past threads in this ML but it seems a lot has changed, as most
of the properties now have different names or accepted values. Looking at
the Eclipse Runtime Options page was helpful but not enough.

I start the framework with Equinox launcher and pass these security
properties:
-Declipse.security="osgi"
-Dosgi.signedcontent.support="runtime"
-Dosgi.framework.keystore=file:/C:/DEV/SEC/myKeystore â note the keystore
is password protected.
I have a bunch of bundles in my p2 managed /plugins folder that are signed.
I also have a simple bundle that registers a conditional ALL permission to
every bundle that is signed with my keystore. Here is the string I used:
Allow {
[org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST" ]
( java.security.AllPermission â*â â*â )
}

The problem is that after my permissions bundle commits the changes
everyone loses any permission. Thatâs probably because my bundle populates
the conditional policy table so now it doesnât default to <<all
permission>> but obviously my signature isnât recognized so all bundles
lose their current permissions.

Can you help me? I must be missing something or doing it wrongâ

Thank you,
Borislav
 _______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev

_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev