Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Equinox » Missing code signer information for third party JAR
Missing code signer information for third party JAR [message #1737647] Mon, 11 July 2016 14:41 Go to next message
Martin Aulich is currently offline Martin AulichFriend
Messages: 2
Registered: July 2016
Junior Member
Hello everybody,

I have a question regarding signed third party JARs in OSGI Bundles. It is about a custom ODA datasource for BIRT, but since I suspect my problem to be about the classloading, I used this forum - if I'm mistaken please shoot and I'll move the post.

My Goal:
Developing a BIRT ODA data source (as an OSGI bundle) which connects to a third party software. This software comes with a Java API, which is distributed in a signed JAR file. Furthermore this software enforces security checks to make sure that sensitive methods of the API are just called from their own (signed) classes. Hence they check the callers signature (see: docs.oracle.com/javase/7/docs/api/java/lang/Class.html#getSigners().

What I did so far:
I created an OSGI bundle via maven, which contained my custom classes as well as the third party JAR. To make sure the classloading works, I have added the JAR to my Bundles class path using the following line in my manifest (the whole manifest can be found attached):
Bundle-ClassPath: target/lib/fs-access-5.2.311.jar,.

The manifest of the third party JAR looks like this (I have stripped out the sensitive parts):
Manifest-Version: 1.0
Implementation-Title: ...
Implementation-Version: ...
Specification-Vendor: ...
Application-Name: ...
...-Revision: ...
Created-By: 1.7.0_80-b15 (Oracle Corporation)
...-BuildTime: 28.01.2016 12:13:18
...-Branch:
...-ReleaseTag: R3
Implementation-Vendor: ...
Ant-Version: Apache Ant 1.9.4
Trusted-Library: true
...-Version: 5.2.311
Permissions: all-permissions
Specification-Title: ...
Specification-Version: ...
Main-Class: de/.../.../client/SomeClass
Codebase: *

Name: de/.../or/query/Constraint.class
SHA1-Digest: nN9F/bXjncHe0sZsRJehnnvo5/4=

I'm using a fresh BIRT bundled eclipse to test my bundle, no additional configuration made. At least none that I'm aware of.

My Problem:
The bundle can be compiled, packaged and deployed to the BIRT eclipse instance without any problems. The classes of the third party JAR can be resolved and if I'm printing the classloader it says EquinoxClassLoader...

But as soon as I call sensitive API code (which invokes a security check) I'm getting an Exception like this:

Exception in thread "main" java.lang.SecurityException: Access denied to full.qualified.ClassName! Class full.qualified.ClassName has missing or invalid signature!

Also when I'm manually retrieving the signer information via docs.oracle.com/javase/7/docs/api/java/lang/Class.html#getSigners(), it won't work and I'm getting null.

I've worked with this API JAR for a very long time in standalone applications and web applications without any Issue, but I'm quite new to OSGI.

Can you please help me and suggest potential workarounds/means for a more detailed error analysis.

Thanks a lot in adance,
Martin
  • Attachment: MANIFEST.MF
    (Size: 0.56KB, Downloaded 170 times)
Re: Missing code signer information for third party JAR [message #1737677 is a reply to message #1737647] Mon, 11 July 2016 21:30 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas WatsonFriend
Messages: 503
Registered: July 2009
Senior Member
Try setting the config.ini option:

osgi.signedcontent.support=certificate

By default equinox will not parse signatures at runtime.

See: http://help.eclipse.org/neon/topic/org.eclipse.platform.doc.isv/reference/misc/runtime-options.html?resultof=%22%6f%73%67%69%2e%73%69%67%6e%65%64%63%6f%6e%74%65%6e%74%2e%73%75%70%70%6f%72%74%22%20#osgisignedcontentsupport
Re: Missing code signer information for third party JAR [message #1737705 is a reply to message #1737677] Tue, 12 July 2016 07:42 Go to previous message
Martin Aulich is currently offline Martin AulichFriend
Messages: 2
Registered: July 2016
Junior Member
Thanks for the quick reply!

Sadly setting this parameter didn't change anything.

Is there any known limitation with regards to nested signed JARs?

[Updated on: Tue, 12 July 2016 07:47]

Report message to a moderator

Previous Topic:BundleException: Error reading bundle content
Next Topic:Uninstall an eclipse plugin programmatically
Goto Forum:
  


Current Time: Sat Oct 12 09:53:53 GMT 2024

Powered by FUDForum. Page generated in 0.24684 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top