[kf-devel] Problem with Security-Layer in KF

Jan Stein jan at makewave.com
Wed Nov 9 18:20:26 CET 2011 

Hi,

The OSGI specification doesn't say much about what should happen. One thing, in the Core Specification section 2.3.3 it says:

For a complete bundle to be validly signed it is necessary that all signatures are valid. That is, if one of the signatures is invalid, the whole bundle must be treated as unsigned.

With this in mind I think that the only way forward (if is that you must implement your own bundle that checks that all bundles are correctly signed.

I agree that it could be useful to have a framework property that says that you are only allowed to install correctly signed bundles that are trusted, so that you can be sure that you only run code signed by you. This could be something for the next OSGi version. Hmm, maybe we should change KF to do this when you set the property "org.knopflerfish.framework.all_signed" to true.

   BR, Jan
 
P.S. I'll try to look at the mailing list program again to see if I can find why it complains about your posts.

On 9 nov 2011, at 16.23, michael.grammling at osglib.org wrote:

> Hi Jan,
> 
> I already checked this with the same result.
> But I can evaluate this with the "org.knopflerfish.framework.debug.certficates" flag again.
> 
> Nevertheless, the Felix framework has the same behaviour as KF.
> There was also a discussion about this issue in JIRA of Felix and a private discussion
> between me and Karl Pauls. https://issues.apache.org/jira/browse/FELIX-3147
> The most people there think that this is the right behaviour.
> 
> But there is a difference between KF and Felix. E.g. KF checks the hash values while
> installing. If the hash values are wrong the bundle could not be installed. Actually this
> is the behaviour I would also expect and which I think is also the right one by looking
> to the OSGi specification:
> Check section 2.3.2 (Java JAR File Restrictions).
> Here you find information about what a valid bundle might be.
> If it does not fit to these requirements it should be seen as damaged (IMO).
> The question is: Why should I'm able to install a bundle with a wrong certificate in it.
> The certificate would only be checked by the Conditional Permission Admin then.
> IMO this is a security problem.
> 
> What do you think?
> 
> Best regards,
> Michael
> 
> 
>> ----- Ursprüngliche Nachricht -----
>> Von: Jan Stein
>> Gesendet: 09.11.11 15:35 Uhr
>> An: knopflerfish-devel at knopflerfish.org
>> Betreff: Re: [kf-devel] Problem with Security-Layer in KF
>> 
>> 
>> Sorry, I missed to CC the mailing list. 
>> 
>> BR, Jan 
>> 
>> > 
>> > Hi, 
>> > 
>> > One thing that I see is that the property "org.knopflerfish.framework.all_signed" is set to false. This means 
>> > that KF will install bundles even if they aren't correctly signed and verified, the faulty signer is silently 
>> > ignored and the method Bundle.getSignerCertificates(SIGNERS_TRUSTED) will not return that signer. 
>> > You can see what is happening by setting "org.knopflerfish.framework.debug.certficates" to true. 
>> > Knopflerfish uses the crypto engine installed into the java runtime when verifying signers. We have tested 
>> > with both SUN and BouncyCastle as crypto providers. 
>> > 
>> > Hope this explains, 
>> > Jan 
>> > 
>> > On 27 okt 2011, at 10.26, michael.grammling at osglib.org wrote: 
>> > 
>> >> 
>> >> Hi all, 
>> >> 
>> >> I'm just fiddling around with bundle signatures and the Conditional Permission Admin of KF and I made some security checks. 
>> >> 
>> >> Bundle signatures: 
>> >> The keystore seems to be loaded correctly. The check of the digests of the files within the MANIFEST.MF seems also to work correctly. 
>> >> Now the strange part: If there is a signature file (*.SF), it is checked correctly. But if I fully remove it from the bundle I can still install 
>> >> the bundle. The *.DSA file seems not to be used for the check because I can fully remove it or exchange it by any other *.DSA file. 
>> >> 
>> >> My configuration: 
>> >> -Forg.osgi.framework.security=osgi 
>> >> -Forg.knopflerfish.framework.all_signed=false 
>> >> -Forg.knopflerfish.framework.validator=JKSValidator 
>> >> -Forg.knopflerfish.framework.service.conditionalpermissionadmin=true 
>> >> -Forg.knopflerfish.framework.service.permissionadmin=true 
>> >> -Forg.knopflerfish.framework.validator.jks.ca_certs=E:/mykeystore 
>> >> -Forg.knopflerfish.framework.validator.jks.ca_certs_password=mypassword 
>> >> 
>> >> Do I have to change any settings or is the security layer not fully supported by KF 3.2.0 yet? 
>> >> 
>> >> Thanks and best regards, 
>> >> Michael 
>> >> 
>> >> 
>> >> _______________________________________________ 
>> >> Knopflerfish-devel mailing list 
>> >> Knopflerfish-devel at knopflerfish.org 
>> >> http://www.knopflerfish.org/mailman/listinfo/knopflerfish-devel 
>> > 
>> 
>> _______________________________________________ 
>> Knopflerfish-devel mailing list 
>> Knopflerfish-devel at knopflerfish.org 
>> http://www.knopflerfish.org/mailman/listinfo/knopflerfish-devel 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.knopflerfish.org/pipermail/knopflerfish-devel/attachments/20111109/93d06c6a/attachment.htm>

More information about the Knopflerfish-devel mailing list