[kf-devel] Problem with Security-Layer in KF

Jan Stein jan at makewave.com
Wed Nov 9 15:35:48 CET 2011 

Sorry, I missed to CC the mailing list.

   BR, Jan

> 
> Hi,
> 
> One thing that I see is that the property "org.knopflerfish.framework.all_signed" is set to false. This means
> that KF will install bundles even if  they aren't correctly signed and verified, the faulty signer is silently
> ignored and the method Bundle.getSignerCertificates(SIGNERS_TRUSTED) will not return that signer.
> You can see what is happening by setting "org.knopflerfish.framework.debug.certficates" to true.
> Knopflerfish uses the crypto engine installed into the java runtime when verifying signers. We have tested
> with both SUN and BouncyCastle as crypto providers.
> 
>     Hope this explains,
>       Jan
> 
> On 27 okt 2011, at 10.26, michael.grammling at osglib.org wrote:
> 
>> 
>> Hi all,
>> 
>> I'm just fiddling around with bundle signatures and the Conditional Permission Admin of KF and I made some security checks.
>> 
>> Bundle signatures:
>> The keystore seems to be loaded correctly. The check of the digests of the files within the MANIFEST.MF seems also to work correctly.
>> Now the strange part: If there is a signature file (*.SF), it is checked correctly. But if I fully remove it from the bundle I can still install
>> the bundle. The *.DSA file seems not to be used for the check because I can fully remove it or exchange it by any other *.DSA file.
>> 
>> My configuration:
>> -Forg.osgi.framework.security=osgi
>> -Forg.knopflerfish.framework.all_signed=false
>> -Forg.knopflerfish.framework.validator=JKSValidator
>> -Forg.knopflerfish.framework.service.conditionalpermissionadmin=true
>> -Forg.knopflerfish.framework.service.permissionadmin=true
>> -Forg.knopflerfish.framework.validator.jks.ca_certs=E:/mykeystore
>> -Forg.knopflerfish.framework.validator.jks.ca_certs_password=mypassword
>> 
>> Do I have to change any settings or is the security layer not fully supported by KF 3.2.0 yet?
>> 
>> Thanks and best regards,
>> Michael
>> 
>> 
>> _______________________________________________
>> Knopflerfish-devel mailing list
>> Knopflerfish-devel at knopflerfish.org
>> http://www.knopflerfish.org/mailman/listinfo/knopflerfish-devel
>

More information about the Knopflerfish-devel mailing list