[jira] [Commented] (FELIX-3610) Support runtime verification for signed bundles

Thu, 26 Jul 2012 10:07:37 -0700 

    [ 
https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13423242#comment-13423242
 ] 

Guillaume Nodet commented on FELIX-3610:
----------------------------------------

It seems to work from my first tests, though a spurious exception is printed 
when the security provider checks its own bundle.
I think the reason is that the Module associated is the one from the host (i.e. 
system bundle) which has no content.  Not really sure though.
I suppose that one needs to be bypassed somehow.

java.io.IOException: Missing entry
        at 
org.apache.felix.framework.security.util.BundleInputStream.readNext(BundleInputStream.java:160)
        at 
org.apache.felix.framework.security.util.BundleInputStream.<init>(BundleInputStream.java:89)
        at 
org.apache.felix.framework.security.verifier.BundleDNParser._getDNChains(BundleDNParser.java:240)
        at 
org.apache.felix.framework.security.verifier.BundleDNParser.getDNChains(BundleDNParser.java:209)
        at 
org.apache.felix.framework.SecurityProviderImpl.getSignerMatcher(SecurityProviderImpl.java:74)
        at 
org.apache.felix.framework.Felix.setBundleProtectionDomain(Felix.java:851)
        at org.apache.felix.framework.Felix.init(Felix.java:801)
        at org.apache.karaf.main.Main.launch(Main.java:277)
        at org.apache.karaf.main.Main.main(Main.java:480)


The exception itself is harmless but it really looks bad ;-)

I'll do more thorough checks later.

                
> Support runtime verification for signed bundles
> -----------------------------------------------
>
>                 Key: FELIX-3610
>                 URL: https://issues.apache.org/jira/browse/FELIX-3610
>             Project: Felix
>          Issue Type: Improvement
>          Components: Framework, Framework Security
>            Reporter: Guillaume Nodet
>            Assignee: Karl Pauls
>
> Signed bundles are only checked when installed, but the goal of signed 
> bundles is to make sure no one has changed the jar.    This is not ensured 
> unless bundle entries are verified when loaded.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to