[kf-devel] Problem with Security-Layer in KF
jan at makewave.com
Wed Nov 9 15:35:48 CET 2011
Sorry, I missed to CC the mailing list.
> One thing that I see is that the property "org.knopflerfish.framework.all_signed" is set to false. This means
> that KF will install bundles even if they aren't correctly signed and verified, the faulty signer is silently
> ignored and the method Bundle.getSignerCertificates(SIGNERS_TRUSTED) will not return that signer.
> You can see what is happening by setting "org.knopflerfish.framework.debug.certficates" to true.
> Knopflerfish uses the crypto engine installed into the java runtime when verifying signers. We have tested
> with both SUN and BouncyCastle as crypto providers.
> Hope this explains,
> On 27 okt 2011, at 10.26, michael.grammling at osglib.org wrote:
>> Hi all,
>> I'm just fiddling around with bundle signatures and the Conditional Permission Admin of KF and I made some security checks.
>> Bundle signatures:
>> The keystore seems to be loaded correctly. The check of the digests of the files within the MANIFEST.MF seems also to work correctly.
>> Now the strange part: If there is a signature file (*.SF), it is checked correctly. But if I fully remove it from the bundle I can still install
>> the bundle. The *.DSA file seems not to be used for the check because I can fully remove it or exchange it by any other *.DSA file.
>> My configuration:
>> Do I have to change any settings or is the security layer not fully supported by KF 3.2.0 yet?
>> Thanks and best regards,
>> Knopflerfish-devel mailing list
>> Knopflerfish-devel at knopflerfish.org
More information about the Knopflerfish-devel