Re: how to enable felix verify the contents of a signed bundle
If I understand you correctly you want to: a) prevent any bundle to open any socket b) prevent bundles not signed by your certificate from being installed In regard to a, can't you just put a DENY java.net.SocketPermission at the beginning of your policy? In regard to b, I guess the best I can think of in a hurry is to first grant AdminPermission["signer=CN=XZX,O=XYX,C=XX",LIFECYCLE] and then DENY AdminPermission["*",LIFECYCLE] Keep in mind that the permission order is important hence, if you e.g. for b first allow AdminPermission LIFECYCLE for bundles signed by your CA and then DENY AdminPermission it basically will only allow to install bundles signed by your CA. Does this help? regards, Karl On Thu, Sep 15, 2016 at 11:38 AM, sid19039wrote: > > Hello @Karl and @Robert, again thank you so much for your help. > And I am sorry for this late reply for I got occupied in other priority > activities. > Yeah , I tried Robert's point and it worked well. > We created our security bundle which reads the following policy file to > bring it into picture via ConditionalPermissionAdmin. > policy file: > ALLOW { >[ org.osgi.service.condpermadmin.BundleSignerCondition "CN=XZX, O=XYX, > C=XX" ] >( java.security.AllPermission "*" "*") > } "Bundles Signed by XZX certificate get AllPermission" > ALLOW { > [org.osgi.service.condpermadmin.BundleLocationCondition > "file:/D:/dir_A/dir_B/felix-framework 5.4.0/bundle/*"] > (java.security.AllPermission "*" "*") > } "Existing bundles of felix" > DENY { >(java.security.AllPermission "*" "*") > } "And give denied permissions to all bundles" > > In above set of permissions, first ALLOW set of permissions gives all > permission to all bundles which are signed by our certificate. Second set of > permissions assign all permissions to all those bundles which are already > present in felix framework default bundle directory. And Third set denies > all permissions to all those bundles which are not signed by our certificate > or which are unsigned and which are not present in default bundle directory > of felix framework. > > Now, signed bundles are successfully installed, become active and run fine > with all permission granted. > But we want to restrict all running bundles to not able to access any > ethernet port on device inside which our felix framework is running. How can > we deny this particular permission to a bundle? > > Moreover, a bundle which is not signed or signed with any other certificate, > also gets installed in the framework without giving any security exception, > though an *unresolved exception as shown below*, appears on the console when > we try to start this unsigned bundle: > > *org.osgi.framework.BundleException: Unable to resolve TCPModBus [14](R > 14.0): missing requirement [TCPModBus [14](R 14.0)] osgi.wiring.package; > (&(osg > i.wiring.package=org.osgi.framework)(version>=1.3.0)) Unresolved > requirements: [[TCPModBus [14](R 14.0)] osgi.wiring.package; > (&(osgi.wiring.package=o > rg.osgi.framework)(version>=1.3.0))]* > > Is there any way to prevent these unsigned bundles or bundles signed with > other certificates from even being installed into the framework? > > > Regards > Siddharth > > > > > > > > -- > View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018412.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com
Re: how to enable felix verify the contents of a signed bundle
Sid I'm afraid I don't know the answer to this question. Sorry Robert On Fri, Oct 21, 2016 at 12:44 PM, sid19039wrote: > Hello, > > Please provide some inputs/suggestions on the above scenario... > > Regards > Siddharth > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018958.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
Hello, Please provide some inputs/suggestions on the above scenario... Regards Siddharth -- View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018958.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
Hello @Karl and @Robert, again thank you so much for your help. And I am sorry for this late reply for I got occupied in other priority activities. Yeah , I tried Robert's point and it worked well. We created our security bundle which reads the following policy file to bring it into picture via ConditionalPermissionAdmin. policy file: ALLOW { [ org.osgi.service.condpermadmin.BundleSignerCondition "CN=XZX, O=XYX, C=XX" ] ( java.security.AllPermission "*" "*") } "Bundles Signed by XZX certificate get AllPermission" ALLOW { [org.osgi.service.condpermadmin.BundleLocationCondition "file:/D:/dir_A/dir_B/felix-framework 5.4.0/bundle/*"] (java.security.AllPermission "*" "*") } "Existing bundles of felix" DENY { (java.security.AllPermission "*" "*") } "And give denied permissions to all bundles" In above set of permissions, first ALLOW set of permissions gives all permission to all bundles which are signed by our certificate. Second set of permissions assign all permissions to all those bundles which are already present in felix framework default bundle directory. And Third set denies all permissions to all those bundles which are not signed by our certificate or which are unsigned and which are not present in default bundle directory of felix framework. Now, signed bundles are successfully installed, become active and run fine with all permission granted. But we want to restrict all running bundles to not able to access any ethernet port on device inside which our felix framework is running. How can we deny this particular permission to a bundle? Moreover, a bundle which is not signed or signed with any other certificate, also gets installed in the framework without giving any security exception, though an *unresolved exception as shown below*, appears on the console when we try to start this unsigned bundle: *org.osgi.framework.BundleException: Unable to resolve TCPModBus [14](R 14.0): missing requirement [TCPModBus [14](R 14.0)] osgi.wiring.package; (&(osg i.wiring.package=org.osgi.framework)(version>=1.3.0)) Unresolved requirements: [[TCPModBus [14](R 14.0)] osgi.wiring.package; (&(osgi.wiring.package=o rg.osgi.framework)(version>=1.3.0))]* Is there any way to prevent these unsigned bundles or bundles signed with other certificates from even being installed into the framework? Regards Siddharth -- View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018412.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
Hi Siddharth, as Robert is correctly pointing out: the next step is to actually define your security policy. His example gives all permission to all bundles that are correctly signed by a given certificate. Granted, that might be a little broad but it would be a start. If you tell us more about what you are actually try to get working we probably could help you with a more specific policy (e.g., there is a way to only give install permission for bundles that are signed iirc). regards, Karl On Mon, Aug 22, 2016 at 6:53 PM, Robert Onslowwrote: > Sid > Did you try my recipe? > Robert > > On Mon, Aug 22, 2016 at 8:12 AM, sid19039 wrote: > > Hello > > @Robert and @Karl, Thank you so much for your answers. > > > > Via > > -Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar > > -Dfelix.keystore.type=jks > > I am able to verify the bundle against its signature now. First, i was > > mentioning the path to keystore file as > > -Dfelix.keystore=file:my.keystore, didn't know absolute path is > required to > > be given, but then i mentioned the absolute path to my.keystore file as > > -Dfelix.keystore=file:/D:A/B/my.keystore then i was able to verify the > > signed bundle successfully. > > But the problem is : an unsigned bundle is still being allowed to be > > installed into the framework. > > Also if i remove any of .SF and .DSA file or both files from jar file > then > > again no error occured while installing the jar file and it installed > > successfully. > > Is there any another configuration left to be set which prevents unsigned > > bundle from being installed and show error on console? > > please share view points. > > > > Thanks > > siddharth > > > > > > > > > > -- > > View this message in context: http://apache-felix.18485.x6.n > abble.com/how-to-enable-felix-verify-the-contents-of-a- > signed-bundle-tp5018089p5018178.html > > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > > > - > > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > > For additional commands, e-mail: users-h...@felix.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com
Re: how to enable felix verify the contents of a signed bundle
Sid Did you try my recipe? Robert On Mon, Aug 22, 2016 at 8:12 AM, sid19039wrote: > Hello > @Robert and @Karl, Thank you so much for your answers. > > Via > -Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar > -Dfelix.keystore.type=jks > I am able to verify the bundle against its signature now. First, i was > mentioning the path to keystore file as > -Dfelix.keystore=file:my.keystore, didn't know absolute path is required to > be given, but then i mentioned the absolute path to my.keystore file as > -Dfelix.keystore=file:/D:A/B/my.keystore then i was able to verify the > signed bundle successfully. > But the problem is : an unsigned bundle is still being allowed to be > installed into the framework. > Also if i remove any of .SF and .DSA file or both files from jar file then > again no error occured while installing the jar file and it installed > successfully. > Is there any another configuration left to be set which prevents unsigned > bundle from being installed and show error on console? > please share view points. > > Thanks > siddharth > > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018178.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
Hello @Robert and @Karl, Thank you so much for your answers. Via -Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar -Dfelix.keystore.type=jks I am able to verify the bundle against its signature now. First, i was mentioning the path to keystore file as -Dfelix.keystore=file:my.keystore, didn't know absolute path is required to be given, but then i mentioned the absolute path to my.keystore file as -Dfelix.keystore=file:/D:A/B/my.keystore then i was able to verify the signed bundle successfully. But the problem is : an unsigned bundle is still being allowed to be installed into the framework. Also if i remove any of .SF and .DSA file or both files from jar file then again no error occured while installing the jar file and it installed successfully. Is there any another configuration left to be set which prevents unsigned bundle from being installed and show error on console? please share view points. Thanks siddharth -- View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018178.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
Hi Siddharth, I'm not sure what is going on exactly but I'm guessing you signed the bundle with a certificate that felix doesn't know about (i.e., its not trusted). Could you try to import your root certificate into a keystore as a trusted certificate and point felix to that keystore like this: -Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar -Dfelix.keystore.type=jks and see if that makes a difference? If it doesn't help, could you maybe share a failing set-up with me? regards, Karl On Tue, Aug 16, 2016 at 1:31 PM, sid19039wrote: > > Hello , > > Could someone please tell how can i use this felix framework security > bundle(mentioned in above posts) for signature verification? > Do i need to declare any package provided by this security bundle into > import-package manifest header of my bundle to enable it? > From now onward, i am not able to find any direction where to proceed. > Please someone tell how i can proceed further. > > Thanks > Siddharth > > > > -- > View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018116.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: how to enable felix verify the contents of a signed bundle
Hello , Could someone please tell how can i use this felix framework security bundle(mentioned in above posts) for signature verification? Do i need to declare any package provided by this security bundle into import-package manifest header of my bundle to enable it? >From now onward, i am not able to find any direction where to proceed. Please someone tell how i can proceed further. Thanks Siddharth -- View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018116.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
Sid You need to tell the framework something about what to expect from the signed bundles. To do this, pick up the ConditionalPermssionAdmin service and register a new ConditionalPermissionInfo. Something like this in an Activator ServiceReference ref = context.getServiceReference(ConditionalPermissionAdmin.class); ConditionalPermissionAdmin admin = context.getService(ref); ConditionalPermissionUpdate update = admin.newConditionalPermissionUpdate(); List infos = update.getConditionalPermissionInfos(); // infos.clear(); infos.add(admin.newConditionalPermissionInfo( "Signed Bundles", new ConditionInfo[] { new ConditionInfo(BundleSignerCondition.class.getName(), new String[] { "CN=CommonName, O=OrgName, STREET=Top Street, , L=Newtown, ST=Kansas, OID.2.5.4.17=ZipCode, C=GB ; -" }) }, new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), "*", "*"), }, ConditionalPermissionInfo.ALLOW)); update.commit(); Robert On Sat, Aug 13, 2016 at 6:32 PM, sid19039wrote: > Hi Karl, > > for the test case, i myself corrupt the jar file. Following are the steps > which I performed: > - I simply extracted the content of valid signed .jar file then opened a > .class file(extracted from the jar) in notepad++ and > corrupted the file, simply by removing some data and adding some garbage > data and saved the file. > - And then created a new jar again with name my_tempered.jar. > > To verify that the file is corrupt, i tested it with jarsigner tool as > following: > *jarsigner -verify my_tempered.jar* > It then threw "jarsigner: java.lang.SecurityException: invalid SHA1 > signature file digest" for the corrupted .class file. > I was expecting such a similar error when trying to install this .jar bundle > file on felix but no error/exception was thrown. > > I don't know exactly how to enable that framework security bundle to verify > a signed bundle or do i need to install some thing else also in addition to > that bundle ? please give your some view points. > > Thanks > sid > > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018093.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
Hi Karl, for the test case, i myself corrupt the jar file. Following are the steps which I performed: - I simply extracted the content of valid signed .jar file then opened a .class file(extracted from the jar) in notepad++ and corrupted the file, simply by removing some data and adding some garbage data and saved the file. - And then created a new jar again with name my_tempered.jar. To verify that the file is corrupt, i tested it with jarsigner tool as following: *jarsigner -verify my_tempered.jar* It then threw "jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest" for the corrupted .class file. I was expecting such a similar error when trying to install this .jar bundle file on felix but no error/exception was thrown. I don't know exactly how to enable that framework security bundle to verify a signed bundle or do i need to install some thing else also in addition to that bundle ? please give your some view points. Thanks sid -- View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018093.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
Hi sid, see inline: > after installing , i tried to start it as shown above but its state was > still shown as Resolved, > *5|Resolved |1|Apache Felix Security Provider (2.4.0)|2.4.0* > this is ok - the security provider is an extension bundle. > then i tried to install a sample corrupt jar file which was signed earliar > using jarsigner tool provided by jdk 6 present on my windows machine. *I > was > expecting that this bundle won't install and some security exception would > appear on the shell. > But it was installed and a bundleid was allocated successfully as shown > below:* > g! > g! install my_tempered3.jar > Bundle ID: 6 > g! > > please tell , did i get wrong somewhere or missed some step ? > How do you know it is corrupt? regards, Karl > Or what are the steps to enable signature verification in felix framework? > > i am a newbie here, please someone do share your view points. > > Thanks > sid > > > > > > > > > > > -- > View this message in context: http://apache-felix.18485.x6. > nabble.com/how-to-enable-felix-verify-the-contents-of- > a-signed-bundle-tp5018089.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com