Can you send me your project in a private mail (or make it available to me by other means in case it is too big to mail it)?
regards, Karl On Wed, Mar 25, 2009 at 1:06 PM, romary_k <[email protected]> wrote: > > Hi all, > my name is Romary i'am a software engineer from Grenoble, France. > Working currently on embedded system and SOA, I' m interested in the > security > assets of the OSGi Service Plateform. > > I'm working wiht my favorite Felix OSGi Gateway, with the Apache Felix > Security Provider > > I use keytool and jarsigner to create key pairs and to sign my bundles > > I have configure felix with the security enable : > felix.keystore= <url to a keystore file on my file system> > felix.storepass = pass of the keystore > and I launch felix with -Djava.security.manager and -Djava.policy=all.policy > > My plan is to demonstrate the use of Signed Jar to allow trusted bundles > only to be > installed and register their services at runtime. > > Let me describe the scenario : > > Bundle A is acting as security agent: > 1) A grants all privileged to itself > 2) A grants all privileged to common bundles of the framework such Logger, > console, iPojo ... > > 3) A use CPA with no condition to grant FilePermission in Read only on the C > drive > (I assume that specifying no condition sets the FilePermission for all > bundles, is that right ??) > > 4) A use CPA and BundleSignerCondition to grant right of writing files to > the C drive only for bundles that are Signed by a dname like "cn=romary, ou= > ..." > > Bundle B is acting as an applicative bundle > 1) try to write file on the C drive > 2) try to read file on the C drive > > Bundle sig-B is bundle B with a proper signature applied and matching the > pattern "cn=romary, ou= ..." > > When I start either B only or sig-B only, as you can imagine, they are able > to write and read file on the C drive > > When I start A, the security permission are set and I am confronted to the > following issues : > - with bundle B : after installation, when i try to start it i got following > exception : > ERROR 20090325 12:40:35 bid#0 - EventDispatcher: Error during > dispatch. (java.lang.IllegalStateException: JarContent is not open) > > The problem is that B should have been authorized to start and to Read some > files on C drive > > - with sig-B : when i try to install sig-B, i get the following exception : > > java.lang.ArrayIndexOutOfBoundsException: 100881754 > at > org.apache.felix.framework.security.verifier.SubjectDNParser.next(SubjectDNParser.java:319) > at > org.apache.felix.framework.security.verifier.SubjectDNParser.parseSubjectDN(SubjectDNParser.java:126) > at > org.apache.felix.framework.security.verifier.BundleDNParser._getDNChains(BundleDNParser.java:217) > at > org.apache.felix.framework.security.verifier.BundleDNParser.checkDNChains(BundleDNParser.java:120) > at > org.apache.felix.framework.SecurityProviderImpl.checkBundle(SecurityProviderImpl.java:70) > at org.apache.felix.framework.Felix.addSecurity(Felix.java:3399) > at org.apache.felix.framework.Felix.installBundle(Felix.java:2318) > at org.apache.felix.framework.Felix.installBundle(Felix.java:2226) > at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:124) > > The problem is that sig-B should have been authorized to start and read / > write files from and to c drive > > I ran my felix inside the debugger and it seems that all the purpose of > initialisation of certificate manager works fine (I was able to retrive my > certificate from the keystore i specified to felix ...) so my configuration > seems to be correct but i think of an error during the analyse of the bundle > signature. > > It would be very nice to everybody who has allready played with Signed > bundles with CPA on Felix to give me hints on the way to make it works all > together. > > I don't give snippets of my bundles now, but just ask if you want to get > deeper in the problem > > Thanks for your feedback > > Romary ;) > > -- > View this message in context: > http://www.nabble.com/Please-help-about-security-and-signed-bundles-tp22700292p22700292.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Karl Pauls [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
