This is an equinox specific question that should be asked on the Equinox forum or mailing lists.
Equinox does not do runtime verification of signed jar content by default. There is a configuration option (osgi.signedcontent.support=runtime) that can be used to do runtime verification of signed bundle entries (see http://help.eclipse.org/indigo/topic/org.eclipse.platform.doc.isv/reference/misc/runtime-options.html). But even this is done lazily as resources are loaded from a bundle. For example, this would lead to a security exception while attempting to load a class which was corrupted according to the jar signature. We do not do aggressive passes over the complete bundle jar content to verify the complete jar is uncorrupted when evaluating BundleSignerConditions. I am pretty sure when assigning permissions based on signers with standard Java security.policy file, it does not do such aggressive verification of the complete jar either. In general we assume the install agent is verifying the content has not been corrupted before installing the bundle into the framework. Tom |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |"Tobias Wagner" <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |<[email protected]>, | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |02/01/2012 03:46 AM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[osgi-dev] Policy based signature checking on bundles | >--------------------------------------------------------------------------------------------------------------------------------------------------| Hi, We ran into problems, using signed bundles with Equinox using the org.osgi.service.condpermadmin.BundleSignerCondition. We found, that bundles with corrupted resources were started without SecurityException or something simliar. When is the BundleSignerCondition evaluated to false? Our observation was, that * unsigned bundles * signed bundles with other signer-DN than the one given in the policy * signed bundles with tampered SF file * signed bundles with tampered MF file are not started by Equinox, due to lack of permission. This is fine so far, but bundles containing tampered class files were installed and started. For the same bundle the jarsigner tool coming with the JDK identified the tampered class file within the bundle and threw a SecurityException reporting a SHA1-digest error for that certain class file. Our configuration: The Equinox framework is started by a launcher class. After starting the framework, the first bundle started is a bundle to update the security policy. It gets the org.osgi.service.condpermadmin.ConditionalPermissionAdmin from the bundle context and uses it's ConditionalPermissionUpdate to commit the update. The policy in force is this one: ALLOW { [ org.osgi.service.condpermadmin.BundleLocationCondition "system:de.company.project.policy/" ] (java.security.AllPermission "*" "*") } "Management Agent Policy" ALLOW { [ org.osgi.service.condpermadmin.BundleSignerCondition "CN=project,O=company,C=de" ] (java.security.AllPermission "*" "*") } "Bundles Signed by company get AllPermission" The Java VM is started with following properties -Djava.security.manager -Djava.security.policy=all.policy -Dorg.osgi.framework.trust.repositories=certificates.ks -Dorg.osgi.framework.security="osgi" Where certificates.ks is a java keystore file containing the certificate for signature checking and all.policy is a java policy file providing full permissions: grant { permission java.security.AllPermission; }; The JRE is jdk1.6.0_30. Is there a chance, to change the configuration to get more restrictive signature checking? Thank you Tobias _______________________________________________ OSGi Developer Mail List [email protected] https://mail.osgi.org/mailman/listinfo/osgi-dev _______________________________________________ OSGi Developer Mail List [email protected] https://mail.osgi.org/mailman/listinfo/osgi-dev
