Re: how to enable felix verify the contents of a signed bundle

2016-10-21 Thread Karl Pauls 
If I understand you correctly you want to:

a) prevent any bundle to open any socket

b) prevent bundles not signed by your certificate from being installed

In regard to a, can't you just put a DENY java.net.SocketPermission at the
beginning of your policy?

In regard to b, I guess the best I can think of in a hurry is to first
grant  AdminPermission["signer=CN=XZX,O=XYX,C=XX",LIFECYCLE] and then DENY
AdminPermission["*",LIFECYCLE]

Keep in mind that the permission order is important hence, if you e.g. for
b first allow AdminPermission LIFECYCLE for bundles signed by your CA and
then DENY AdminPermission it basically will only allow to install bundles
signed by your CA.

Does this help?

regards,

Karl

On Thu, Sep 15, 2016 at 11:38 AM, sid19039  wrote:
>
> Hello @Karl and @Robert, again thank you so much for your help.
> And I am sorry for this late reply for I got occupied in other priority
> activities.
> Yeah , I tried Robert's point and it worked well.
> We created our security bundle which reads the following policy file to
> bring it into picture via ConditionalPermissionAdmin.
> policy file:
> ALLOW {
>[ org.osgi.service.condpermadmin.BundleSignerCondition "CN=XZX, O=XYX,
> C=XX" ]
>( java.security.AllPermission "*" "*")
> } "Bundles Signed by XZX certificate get AllPermission"
> ALLOW {
>   [org.osgi.service.condpermadmin.BundleLocationCondition
> "file:/D:/dir_A/dir_B/felix-framework 5.4.0/bundle/*"]
>   (java.security.AllPermission "*" "*")
> } "Existing  bundles of felix"
> DENY {
>(java.security.AllPermission "*" "*")
> } "And give denied permissions to all bundles"
>
> In above set of permissions, first ALLOW set of permissions gives all
> permission to all bundles which are signed by our certificate. Second set
of
> permissions assign all permissions to all those bundles which are already
> present in felix framework default bundle directory. And Third set denies
> all permissions to all those bundles which are not signed by our
certificate
> or which are unsigned and which are not present in default bundle
directory
> of felix framework.
>
> Now, signed bundles are successfully installed, become active and run fine
> with all permission granted.
> But we want to restrict all running bundles to not able to access any
> ethernet port on device inside which our felix framework is running. How
can
> we deny this particular permission to a bundle?
>
> Moreover, a bundle which is not signed or signed with any other
certificate,
> also gets installed in the framework without giving any security
exception,
> though an *unresolved exception as shown below*, appears on the console
when
> we try to start this unsigned bundle:
>
> *org.osgi.framework.BundleException: Unable to resolve TCPModBus [14](R
> 14.0): missing requirement [TCPModBus [14](R 14.0)] osgi.wiring.package;
> (&(osg
> i.wiring.package=org.osgi.framework)(version>=1.3.0)) Unresolved
> requirements: [[TCPModBus [14](R 14.0)] osgi.wiring.package;
> (&(osgi.wiring.package=o
> rg.osgi.framework)(version>=1.3.0))]*
>
> Is there any way to prevent these unsigned bundles or bundles signed with
> other certificates from even being installed into the framework?
>
>
> Regards
> Siddharth
>
>
>
>
>
>
>
> --
> View this message in context:
http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018412.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>



--
Karl Pauls
karlpa...@gmail.com

Re: how to enable felix verify the contents of a signed bundle

2016-10-21 Thread Robert Onslow 
Sid
I'm afraid I don't know the answer to this question. Sorry
Robert

On Fri, Oct 21, 2016 at 12:44 PM, sid19039  wrote:
> Hello,
>
> Please provide some inputs/suggestions on the above scenario...
>
> Regards
> Siddharth
>
>
>
> --
> View this message in context: 
> http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018958.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Re: how to enable felix verify the contents of a signed bundle

2016-10-21 Thread sid19039 
Hello,

Please provide some inputs/suggestions on the above scenario...

Regards
Siddharth



--
View this message in context: 
http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018958.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Re: how to enable felix verify the contents of a signed bundle

2016-09-15 Thread sid19039 
Hello @Karl and @Robert, again thank you so much for your help.
And I am sorry for this late reply for I got occupied in other priority
activities.
Yeah , I tried Robert's point and it worked well.
We created our security bundle which reads the following policy file to
bring it into picture via ConditionalPermissionAdmin.
policy file:
ALLOW {
   [ org.osgi.service.condpermadmin.BundleSignerCondition "CN=XZX, O=XYX,
C=XX" ]
   ( java.security.AllPermission "*" "*")
} "Bundles Signed by XZX certificate get AllPermission"
ALLOW {
  [org.osgi.service.condpermadmin.BundleLocationCondition
"file:/D:/dir_A/dir_B/felix-framework 5.4.0/bundle/*"]
  (java.security.AllPermission "*" "*")
} "Existing  bundles of felix"
DENY {
   (java.security.AllPermission "*" "*")
} "And give denied permissions to all bundles"

In above set of permissions, first ALLOW set of permissions gives all
permission to all bundles which are signed by our certificate. Second set of
permissions assign all permissions to all those bundles which are already
present in felix framework default bundle directory. And Third set denies
all permissions to all those bundles which are not signed by our certificate
or which are unsigned and which are not present in default bundle directory
of felix framework.

Now, signed bundles are successfully installed, become active and run fine
with all permission granted.
But we want to restrict all running bundles to not able to access any
ethernet port on device inside which our felix framework is running. How can
we deny this particular permission to a bundle?

Moreover, a bundle which is not signed or signed with any other certificate,
also gets installed in the framework without giving any security exception,
though an *unresolved exception as shown below*, appears on the console when
we try to start this unsigned bundle:

*org.osgi.framework.BundleException: Unable to resolve TCPModBus [14](R
14.0): missing requirement [TCPModBus [14](R 14.0)] osgi.wiring.package;
(&(osg
i.wiring.package=org.osgi.framework)(version>=1.3.0)) Unresolved
requirements: [[TCPModBus [14](R 14.0)] osgi.wiring.package;
(&(osgi.wiring.package=o
rg.osgi.framework)(version>=1.3.0))]*

Is there any way to prevent these unsigned bundles or bundles signed with
other certificates from even being installed into the framework?


Regards
Siddharth







--
View this message in context: 
http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018412.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Re: how to enable felix verify the contents of a signed bundle

2016-08-22 Thread Karl Pauls 
Hi Siddharth,

as Robert is correctly pointing out: the next step is to actually define
your security policy. His example gives all permission to all bundles that
are correctly signed by a given certificate. Granted, that might be a
little broad but it would be a start. If you tell us more about what you
are actually try to get working we probably could help you with a more
specific policy (e.g., there is a way to only give install permission for
bundles that are signed iirc).

regards,

Karl

On Mon, Aug 22, 2016 at 6:53 PM, Robert Onslow 
wrote:

> Sid
> Did you try my recipe?
> Robert
>
> On Mon, Aug 22, 2016 at 8:12 AM, sid19039  wrote:
> > Hello
> > @Robert and @Karl, Thank you so much for your answers.
> >
> > Via
> > -Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar
> > -Dfelix.keystore.type=jks
> > I am able to verify the bundle against its signature now. First, i was
> > mentioning the path to keystore file as
> > -Dfelix.keystore=file:my.keystore, didn't know absolute path is
> required to
> > be given, but then i mentioned the absolute path to my.keystore file as
> > -Dfelix.keystore=file:/D:A/B/my.keystore then i was able to verify the
> > signed bundle successfully.
> > But the problem is : an unsigned bundle is still being allowed to be
> > installed into the framework.
> > Also if i remove any of .SF and .DSA file or both files from jar file
> then
> > again no error occured while installing the jar file and it installed
> > successfully.
> > Is there any another configuration left to be set which prevents unsigned
> > bundle from being installed and show error on console?
> > please share view points.
> >
> > Thanks
> > siddharth
> >
> >
> >
> >
> > --
> > View this message in context: http://apache-felix.18485.x6.n
> abble.com/how-to-enable-felix-verify-the-contents-of-a-
> signed-bundle-tp5018089p5018178.html
> > Sent from the Apache Felix - Users mailing list archive at Nabble.com.
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> > For additional commands, e-mail: users-h...@felix.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>
>


-- 
Karl Pauls
karlpa...@gmail.com

Re: how to enable felix verify the contents of a signed bundle

2016-08-22 Thread Robert Onslow 
Sid
Did you try my recipe?
Robert

On Mon, Aug 22, 2016 at 8:12 AM, sid19039  wrote:
> Hello
> @Robert and @Karl, Thank you so much for your answers.
>
> Via
> -Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar
> -Dfelix.keystore.type=jks
> I am able to verify the bundle against its signature now. First, i was
> mentioning the path to keystore file as
> -Dfelix.keystore=file:my.keystore, didn't know absolute path is required to
> be given, but then i mentioned the absolute path to my.keystore file as
> -Dfelix.keystore=file:/D:A/B/my.keystore then i was able to verify the
> signed bundle successfully.
> But the problem is : an unsigned bundle is still being allowed to be
> installed into the framework.
> Also if i remove any of .SF and .DSA file or both files from jar file then
> again no error occured while installing the jar file and it installed
> successfully.
> Is there any another configuration left to be set which prevents unsigned
> bundle from being installed and show error on console?
> please share view points.
>
> Thanks
> siddharth
>
>
>
>
> --
> View this message in context: 
> http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018178.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Re: how to enable felix verify the contents of a signed bundle

2016-08-22 Thread sid19039 
Hello 
@Robert and @Karl, Thank you so much for your answers.

Via 
-Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar 
-Dfelix.keystore.type=jks
I am able to verify the bundle against its signature now. First, i was
mentioning the path to keystore file as
-Dfelix.keystore=file:my.keystore, didn't know absolute path is required to
be given, but then i mentioned the absolute path to my.keystore file as
-Dfelix.keystore=file:/D:A/B/my.keystore then i was able to verify the
signed bundle successfully.
But the problem is : an unsigned bundle is still being allowed to be
installed into the framework.
Also if i remove any of .SF and .DSA file or both files from jar file then
again no error occured while installing the jar file and it installed
successfully.
Is there any another configuration left to be set which prevents unsigned
bundle from being installed and show error on console?
please share view points.

Thanks
siddharth




--
View this message in context: 
http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018178.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Re: how to enable felix verify the contents of a signed bundle

2016-08-16 Thread Karl Pauls 
Hi Siddharth,

I'm not sure what is going on exactly but I'm guessing you signed the
bundle with a certificate that felix doesn't know about (i.e., its not
trusted). Could you try to import your root certificate into a keystore as
a trusted certificate and point felix to that keystore like this:

-Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar
-Dfelix.keystore.type=jks

and see if that makes a difference? If it doesn't help, could you maybe
share a failing set-up with me?

regards,

Karl

On Tue, Aug 16, 2016 at 1:31 PM, sid19039  wrote:
>
> Hello ,
>
> Could someone please tell how can i use this felix framework security
> bundle(mentioned in above posts) for signature verification?
> Do i need to declare any package provided by this security bundle into
> import-package manifest header of my bundle to enable it?
> From now onward, i am not able to find any direction where to proceed.
> Please someone tell how i can proceed further.
>
> Thanks
> Siddharth
>
>
>
> --
> View this message in context:
http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018116.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>



--
Karl Pauls
karlpa...@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls

Re: how to enable felix verify the contents of a signed bundle

2016-08-16 Thread sid19039 
Hello ,

Could someone please tell how can i use this felix framework security
bundle(mentioned in above posts) for signature verification?
Do i need to declare any package provided by this security bundle into
import-package manifest header of my bundle to enable it?
>From now onward, i am not able to find any direction where to proceed.
Please someone tell how i can proceed further.

Thanks
Siddharth



--
View this message in context: 
http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018116.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Re: how to enable felix verify the contents of a signed bundle

2016-08-16 Thread Robert Onslow 
Sid

You need to tell the framework something about what to expect from the
signed bundles.

To do this, pick up the ConditionalPermssionAdmin service and register
a new ConditionalPermissionInfo.

Something like this in an Activator


ServiceReference ref =
context.getServiceReference(ConditionalPermissionAdmin.class);
ConditionalPermissionAdmin admin = context.getService(ref);
ConditionalPermissionUpdate update = admin.newConditionalPermissionUpdate();
List infos = update.getConditionalPermissionInfos();
// infos.clear();
infos.add(admin.newConditionalPermissionInfo(
"Signed Bundles",
new ConditionInfo[]
{
   new
ConditionInfo(BundleSignerCondition.class.getName(), new String[]
   {

  "CN=CommonName, O=OrgName, STREET=Top Street, ,
L=Newtown, ST=Kansas, OID.2.5.4.17=ZipCode, C=GB ; -"
   })
},
new PermissionInfo[]
{
   new PermissionInfo(AllPermission.class.getName(), "*", "*"),
},
ConditionalPermissionInfo.ALLOW));



update.commit();


Robert

On Sat, Aug 13, 2016 at 6:32 PM, sid19039  wrote:
> Hi Karl,
>
> for the test case, i myself corrupt the jar file. Following are the steps
> which I performed:
> - I simply extracted the content of valid signed .jar file then opened a
> .class file(extracted from the jar) in notepad++ and
>   corrupted the file, simply by removing some data and adding some garbage
> data and saved the file.
> - And then created a new jar again with name my_tempered.jar.
>
> To verify that the file is corrupt, i tested it with jarsigner tool as
> following:
> *jarsigner -verify my_tempered.jar*
> It then threw "jarsigner: java.lang.SecurityException: invalid SHA1
> signature file digest" for the corrupted .class file.
> I was expecting such a similar error when trying to install this .jar bundle
> file on felix but no error/exception was thrown.
>
> I don't know exactly how to enable that framework security bundle to verify
> a signed bundle  or do i need to install some thing else also in addition to
> that bundle  ? please give your some view points.
>
> Thanks
> sid
>
>
>
>
> --
> View this message in context: 
> http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018093.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Re: how to enable felix verify the contents of a signed bundle

2016-08-13 Thread sid19039 
Hi Karl,

for the test case, i myself corrupt the jar file. Following are the steps
which I performed:
- I simply extracted the content of valid signed .jar file then opened a
.class file(extracted from the jar) in notepad++ and 
  corrupted the file, simply by removing some data and adding some garbage
data and saved the file.
- And then created a new jar again with name my_tempered.jar.

To verify that the file is corrupt, i tested it with jarsigner tool as
following:
*jarsigner -verify my_tempered.jar*
It then threw "jarsigner: java.lang.SecurityException: invalid SHA1
signature file digest" for the corrupted .class file.
I was expecting such a similar error when trying to install this .jar bundle
file on felix but no error/exception was thrown.

I don't know exactly how to enable that framework security bundle to verify
a signed bundle  or do i need to install some thing else also in addition to
that bundle  ? please give your some view points.

Thanks
sid




--
View this message in context: 
http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018093.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Re: how to enable felix verify the contents of a signed bundle

2016-08-12 Thread Karl Pauls 
Hi sid,

see inline:


> after installing , i tried to start it as shown above but its state was
> still shown as Resolved,
> *5|Resolved   |1|Apache Felix Security Provider (2.4.0)|2.4.0*
>

this is ok - the security provider is an extension bundle.


> then i tried to install a sample corrupt jar file which was signed earliar
> using jarsigner tool provided by jdk 6 present on my windows machine. *I
> was
> expecting that this bundle won't install and some security exception would
> appear on the shell.
> But it was installed and a bundleid was allocated successfully as shown
> below:*
> g!
> g! install my_tempered3.jar
> Bundle ID: 6
> g!
>
> please tell , did i get wrong somewhere or missed some step ?
>

How do you know it is corrupt?

regards,

Karl


> Or what are the steps to enable signature verification in felix framework?
>
> i am a newbie here, please someone do share your view points.
>
> Thanks
> sid
>
>
>
>
>
>
>
>
>
>
> --
> View this message in context: http://apache-felix.18485.x6.
> nabble.com/how-to-enable-felix-verify-the-contents-of-
> a-signed-bundle-tp5018089.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>
>


-- 
Karl Pauls
karlpa...@gmail.com