Resources/Classes are only verified when they are loaded since it is quite
expensive to go through all signed JARs to verify all the resources/classes up
front. So the basic idea is that a bundle can start if it is tampered with but
it is never possible to execute tampered code.
Kind regards,
Peter Kriens
On 1 feb. 2012, at 10:40, Tobias Wagner wrote:
> Hi,
>
> We ran into problems, using signed bundles with Equinox using the
> org.osgi.service.condpermadmin.BundleSignerCondition. We found, that bundles
> with corrupted resources were started without SecurityException or something
> simliar.
>
> When is the BundleSignerCondition evaluated to false?
> Our observation was, that
> * unsigned bundles
> * signed bundles with other signer-DN than the one given in the
> policy
> * signed bundles with tampered SF file
> * signed bundles with tampered MF file
> are not started by Equinox, due to lack of permission. This is fine so far,
> but bundles containing tampered class files were installed and started.
>
> For the same bundle the jarsigner tool coming with the JDK identified the
> tampered class file within the bundle and threw a SecurityException
> reporting a SHA1-digest error for that certain class file.
>
> Our configuration:
> The Equinox framework is started by a launcher class. After starting the
> framework, the first bundle started is a bundle to update the security
> policy. It gets the
> org.osgi.service.condpermadmin.ConditionalPermissionAdmin from the bundle
> context and uses it's ConditionalPermissionUpdate to commit the update. The
> policy in force is this one:
>
> ALLOW {
> [ org.osgi.service.condpermadmin.BundleLocationCondition
> "system:de.company.project.policy/" ]
> (java.security.AllPermission "*" "*")
> } "Management Agent Policy"
>
> ALLOW {
> [ org.osgi.service.condpermadmin.BundleSignerCondition
> "CN=project,O=company,C=de" ]
> (java.security.AllPermission "*" "*")
> } "Bundles Signed by company get AllPermission"
>
> The Java VM is started with following properties
> -Djava.security.manager
> -Djava.security.policy=all.policy
> -Dorg.osgi.framework.trust.repositories=certificates.ks
> -Dorg.osgi.framework.security="osgi"
>
> Where certificates.ks is a java keystore file containing the certificate for
> signature checking and all.policy is a java policy file providing full
> permissions:
>
> grant { permission java.security.AllPermission; };
>
> The JRE is jdk1.6.0_30.
>
> Is there a chance, to change the configuration to get more restrictive
> signature checking?
> Thank you
> Tobias
>
>
> _______________________________________________
> OSGi Developer Mail List
> [email protected]
> https://mail.osgi.org/mailman/listinfo/osgi-dev
_______________________________________________
OSGi Developer Mail List
[email protected]
https://mail.osgi.org/mailman/listinfo/osgi-dev
