Re: [equinox-dev] Signed bundles
Hello Thomas, On Feb 7, 2008, at 15:18 , Thomas Watson wrote: Seem that we keep giving you the wrong options!!! :) Please try this on the latest I-Build of 3.4. The v20071207 version of org.eclipse.osgi was before we released some of the new signed bundle support. Thanks, that works fine now! Greetings, Marcel ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
Re: [equinox-dev] Signed bundles
Marcel, Seem that we keep giving you the wrong options!!! java -Djava.security.manager="" -Djava.security.policy=policy -Dosgi.framework.keystore=file:keystore -Dosgi.signedcontent.support=true -jar org.eclipse.osgi_3.4.0..jar -console -consoleLog Please try this on the latest I-Build of 3.4. The v20071207 version of org.eclipse.osgi was before we released some of the new signed bundle support. Tom From: Marcel Offermans <[EMAIL PROTECTED]> To: Equinox development mailing list Date: 02/07/2008 07:05 AM Subject: Re: [equinox-dev] Signed bundles Hello Thomas, I'm trying your suggestions: java -Dosgi.signedcontent.support=true -Djava.security.policy="" -jar org.eclipse.osgi_3.4.0.v20071207.jar -console >From what I understand that should give me a framework with security and signed bundle support, but when I try that and type "services" from the equinox console, I don't get a (Conditional)PermissionAdmin service. Greetings, Marcel On Feb 6, 2008, at 15:43 , Thomas Watson wrote: The option to enable signed bundles in 3.3 is osgi.support.signature.verify (notice "support" and "signature" are reversed). In 3.4 we are introducing a more general option called osgi.signedcontent.support which does not have simple true|false options, but we will continue to recognize the old 3.3. option. Matt is documenting the security options in https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765 The internal security manager class is needed to fully support postponed conditions in ConditionalPermissionAdmin. If postponed conditions are not needed then simply enabling the security manager with -Djava.security.policy="" will enable the built-in security manager which will satisfy most needs. There is an option called eclipse.security. This option is used by the launcher jar to setup a policy to grant the framework and the launcher AllPermissions and specify the security manager to use. Unfortunately this still requires a reference to an internal class if you want to load a security manager to support postponed conditions. I've opened a bug to investigate making this easier. Perhaps eclipse.security manager can have a value that indicates the framework should load its internal security manager. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=218001. Tom Jeff McAffer ---02/06/2008 07:47:10 AM---Marcel Offermans wrote: From: Jeff McAffer <[EMAIL PROTECTED]> To:Equinox development mailing list Date: 02/06/2008 07:47 AM Subject: Re: [equinox-dev] Signed bundles Marcel Offermans wrote: > So, reiterating, if I want to run Equinox with OSGi security enabled > and have it use my own keystore, I have to start it like this > (formatted a bit for clarity, but typed as one big line): > > java > -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager > -Djava.security.policy=policy > -Dosgi.framework.keystore=keystore > -Dosgi.signature.support.verify=true > -jar org.eclipse.osgi_3.4.0.v20071207.jar > -console > -consoleLog > > Basically, I'm asking how Equinox is being run to be compliant with > OSGi security. Is the above line accurate? Seems complicated and requires people to reference internal classes etc. Could be wrong but I remember it being simipler Jeff ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mail
Re: [equinox-dev] Signed bundles
Hello Thomas, I'm trying your suggestions: java -Dosgi.signedcontent.support=true -Djava.security.policy="" -jar org.eclipse.osgi_3.4.0.v20071207.jar -console From what I understand that should give me a framework with security and signed bundle support, but when I try that and type "services" from the equinox console, I don't get a (Conditional)PermissionAdmin service. Greetings, Marcel On Feb 6, 2008, at 15:43 , Thomas Watson wrote: The option to enable signed bundles in 3.3 is osgi.support.signature.verify (notice "support" and "signature" are reversed). In 3.4 we are introducing a more general option called osgi.signedcontent.support which does not have simple true|false options, but we will continue to recognize the old 3.3. option. Matt is documenting the security options in https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765 The internal security manager class is needed to fully support postponed conditions in ConditionalPermissionAdmin. If postponed conditions are not needed then simply enabling the security manager with -Djava.security.policy="" will enable the built-in security manager which will satisfy most needs. There is an option called eclipse.security. This option is used by the launcher jar to setup a policy to grant the framework and the launcher AllPermissions and specify the security manager to use. Unfortunately this still requires a reference to an internal class if you want to load a security manager to support postponed conditions. I've opened a bug to investigate making this easier. Perhaps eclipse.security manager can have a value that indicates the framework should load its internal security manager. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=218001 . Tom Jeff McAffer ---02/06/2008 07:47:10 AM---Marcel Offermans wrote: From: Jeff McAffer <[EMAIL PROTECTED]> To: Equinox development mailing list Date: 02/06/2008 07:47 AM Subject: Re: [equinox-dev] Signed bundles Marcel Offermans wrote: > So, reiterating, if I want to run Equinox with OSGi security enabled > and have it use my own keystore, I have to start it like this > (formatted a bit for clarity, but typed as one big line): > > java > - Djava .security .manager =org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager > -Djava.security.policy=policy > -Dosgi.framework.keystore=keystore > -Dosgi.signature.support.verify=true > -jar org.eclipse.osgi_3.4.0.v20071207.jar > -console > -consoleLog > > Basically, I'm asking how Equinox is being run to be compliant with > OSGi security. Is the above line accurate? Seems complicated and requires people to reference internal classes etc. Could be wrong but I remember it being simipler Jeff ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
Re: [equinox-dev] Signed bundles
The option to enable signed bundles in 3.3 is osgi.support.signature.verify (notice "support" and "signature" are reversed). In 3.4 we are introducing a more general option called osgi.signedcontent.support which does not have simple true|false options, but we will continue to recognize the old 3.3. option. Matt is documenting the security options in https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765 The internal security manager class is needed to fully support postponed conditions in ConditionalPermissionAdmin. If postponed conditions are not needed then simply enabling the security manager with -Djava.security.policy="" will enable the built-in security manager which will satisfy most needs. There is an option called eclipse.security. This option is used by the launcher jar to setup a policy to grant the framework and the launcher AllPermissions and specify the security manager to use. Unfortunately this still requires a reference to an internal class if you want to load a security manager to support postponed conditions. I've opened a bug to investigate making this easier. Perhaps eclipse.security manager can have a value that indicates the framework should load its internal security manager. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=218001. Tom From: Jeff McAffer <[EMAIL PROTECTED]> To: Equinox development mailing list Date: 02/06/2008 07:47 AM Subject:Re: [equinox-dev] Signed bundles Marcel Offermans wrote: > So, reiterating, if I want to run Equinox with OSGi security enabled > and have it use my own keystore, I have to start it like this > (formatted a bit for clarity, but typed as one big line): > > java > -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager > -Djava.security.policy=policy > -Dosgi.framework.keystore=keystore > -Dosgi.signature.support.verify=true > -jar org.eclipse.osgi_3.4.0.v20071207.jar > -console > -consoleLog > > Basically, I'm asking how Equinox is being run to be compliant with > OSGi security. Is the above line accurate? Seems complicated and requires people to reference internal classes etc. Could be wrong but I remember it being simipler Jeff ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev <><>___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
Re: [equinox-dev] Signed bundles
Marcel Offermans wrote: So, reiterating, if I want to run Equinox with OSGi security enabled and have it use my own keystore, I have to start it like this (formatted a bit for clarity, but typed as one big line): java -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager -Djava.security.policy=policy -Dosgi.framework.keystore=keystore -Dosgi.signature.support.verify=true -jar org.eclipse.osgi_3.4.0.v20071207.jar -console -consoleLog Basically, I'm asking how Equinox is being run to be compliant with OSGi security. Is the above line accurate? Seems complicated and requires people to reference internal classes etc. Could be wrong but I remember it being simipler Jeff ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
Re: [equinox-dev] Signed bundles
Hello Matt, First of all, thanks for your reply! On Feb 4, 2008, at 23:30 , Matt Flaherty wrote: You can enable the signature verification system by setting the system property "osgi.signature.support.verify" to true. Equinox uses the system property, "osgi.framework.keystore" to look in a keystore of type JKS to find additional trusted certificates beyond those in the JRE's cacerts file. You don't need the alias or a password for the alias. So, reiterating, if I want to run Equinox with OSGi security enabled and have it use my own keystore, I have to start it like this (formatted a bit for clarity, but typed as one big line): java - Djava .security .manager =org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager -Djava.security.policy=policy -Dosgi.framework.keystore=keystore -Dosgi.signature.support.verify=true -jar org.eclipse.osgi_3.4.0.v20071207.jar -console -consoleLog Basically, I'm asking how Equinox is being run to be compliant with OSGi security. I'm still experiencing problems with PermissionAdmin, but I'll explain that in a separate post because I think I might have run into a bug now. The code that actually does the legwork of verifying the signatures over jarfiles was a provisional API formerly known as the JarVerifier - we've recently refactored it and established a supported API for signed content. Take a look in security/src in org.eclipse.osgi for the API. Some of these properties will be getting new osgi.signedcontent.* enablers with the new API, and we've also added support for disabling entire bundles based on the signer and a pluggable authentiation and authorization mechanism. Thanks for the background information. At the moment, my interest is purely in OSGi security, I'm assuming that the API you describe is an extension to that? Not well documented yet, but I'll take care of that shortly: https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765 I've subscribed to that one, thanks. -matt --- Matt Flaherty Security Project Lead, Lotus Notes & Eclipse Equinox External: http://www.eclipse.org/equinox/incubator/security/ Internal: https://cs.opensource.ibm.com/projects/eclipsesec/ [EMAIL PROTECTED] wrote on 01/30/2008 08:54:46 AM: > After succeeding in getting Equinox to run with security on, I'm now > experimenting with signed bundles. First I made a new keystore, using > the standard java "keytool", like this: > > keytool -genkey -alias myalias -keystore keystore > > I created a bundle using Eclipse's PDE, and used the "Export" function > to create a signed bundle, pointing to my freshly created keystore, > specifying the alias and password. > > Now my question is, how do I configure equinox to use my keystore? I > want to use it in combination with PermissionAdmin and an > AdminPermission that filters on the signer (using a condition like > "(signer=\*, o=mycompany)"). All I can find is documentation on how to > use the jarverifier (http://dev.eclipse.org/viewcvs/indextech.cgi/ > equinox-home/security/verifier.html > ) which states I can use a "osgi.framework.keystore" property to point > to my store. What I don't know is: > a) do I need this jarverifier at all? I am assuming that just > starting equinox with security should be enough; > b) is that property also applicable if you're not using the > jarverifier? > c) how do I specify alias and password for the store? > > Any pointers to information about this would be nice too! :) > > Greetings, Marcel > > ___ > equinox-dev mailing list > equinox-dev@eclipse.org > https://dev.eclipse.org/mailman/listinfo/equinox-dev ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
Re: [equinox-dev] Signed bundles
You can enable the signature verification system by setting the system property "osgi.signature.support.verify" to true. Equinox uses the system property, "osgi.framework.keystore" to look in a keystore of type JKS to find additional trusted certificates beyond those in the JRE's cacerts file. You don't need the alias or a password for the alias. The code that actually does the legwork of verifying the signatures over jarfiles was a provisional API formerly known as the JarVerifier - we've recently refactored it and established a supported API for signed content. Take a look in security/src in org.eclipse.osgi for the API. Some of these properties will be getting new osgi.signedcontent.* enablers with the new API, and we've also added support for disabling entire bundles based on the signer and a pluggable authentiation and authorization mechanism. Not well documented yet, but I'll take care of that shortly: https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765 HTH, -matt --- Matt Flaherty Security Project Lead, Lotus Notes & Eclipse Equinox External: http://www.eclipse.org/equinox/incubator/security/ Internal: https://cs.opensource.ibm.com/projects/eclipsesec/ [EMAIL PROTECTED] wrote on 01/30/2008 08:54:46 AM: > After succeeding in getting Equinox to run with security on, I'm now > experimenting with signed bundles. First I made a new keystore, using > the standard java "keytool", like this: > > keytool -genkey -alias myalias -keystore keystore > > I created a bundle using Eclipse's PDE, and used the "Export" function > to create a signed bundle, pointing to my freshly created keystore, > specifying the alias and password. > > Now my question is, how do I configure equinox to use my keystore? I > want to use it in combination with PermissionAdmin and an > AdminPermission that filters on the signer (using a condition like > "(signer=\*, o=mycompany)"). All I can find is documentation on how to > use the jarverifier (http://dev.eclipse.org/viewcvs/indextech.cgi/ > equinox-home/security/verifier.html > ) which states I can use a "osgi.framework.keystore" property to point > to my store. What I don't know is: > a) do I need this jarverifier at all? I am assuming that just > starting equinox with security should be enough; > b) is that property also applicable if you're not using the > jarverifier? > c) how do I specify alias and password for the store? > > Any pointers to information about this would be nice too! :) > > Greetings, Marcel > > ___ > equinox-dev mailing list > equinox-dev@eclipse.org > https://dev.eclipse.org/mailman/listinfo/equinox-dev ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
[equinox-dev] Signed bundles
After succeeding in getting Equinox to run with security on, I'm now experimenting with signed bundles. First I made a new keystore, using the standard java "keytool", like this: keytool -genkey -alias myalias -keystore keystore I created a bundle using Eclipse's PDE, and used the "Export" function to create a signed bundle, pointing to my freshly created keystore, specifying the alias and password. Now my question is, how do I configure equinox to use my keystore? I want to use it in combination with PermissionAdmin and an AdminPermission that filters on the signer (using a condition like "(signer=\*, o=mycompany)"). All I can find is documentation on how to use the jarverifier (http://dev.eclipse.org/viewcvs/indextech.cgi/equinox-home/security/verifier.html ) which states I can use a "osgi.framework.keystore" property to point to my store. What I don't know is: a) do I need this jarverifier at all? I am assuming that just starting equinox with security should be enough; b) is that property also applicable if you're not using the jarverifier? c) how do I specify alias and password for the store? Any pointers to information about this would be nice too! :) Greetings, Marcel ___ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev