Re: [equinox-dev] keystores and signature recognition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [equinox-dev] keystores and signature recognition

From: Thomas Watson <tjwatson@xxxxxxxxxx>
Date: Fri, 9 Dec 2011 13:52:44 -0600
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/equinox-dev>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>

I don't think you should have to provide the option
osgi.signedcontent.support="runtime" to enable the BundleSignerCondition to
work.  My guess is there is something wrong with the condition you set and
matching it to the signer you used to sign your bundles.  If you are able
to you should try stepping through
org.osgi.service.condpermadmin.BundleSignerCondition.getCondition(Bundle,
ConditionInfo) to see if your condition is matching the bundles you have
signed.

For your scenario I think you want two rows in the condition table:

Allow {
	[org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST" ]
	( java.security.AllPermission “*” “*” )
} "SignedByTest"

Allow {
	[org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST"  !]
	.... // set of permissions for all other bundles
} "AllOthers"

Make sure you are using
org.osgi.service.condpermadmin.ConditionalPermissionUpdate so you can add
the two rows as an atomic operation so that both rows take effect at the
same time.

Tom




|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |"Kapukaranov, Borislav" <borislav.kapukaranov@xxxxxxx>                                                                                            |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Equinox development mailing list <equinox-dev@xxxxxxxxxxx>,                                                                                       |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |12/09/2011 10:00 AM                                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |[equinox-dev] keystores and signature recognition                                                                                                 |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|





Hi,

I’ve been trying Equinox’s Conditional Permission Admin and can’t get it to
run with signed bundles.
I’ve seen past threads in this ML but it seems a lot has changed, as most
of the properties now have different names or accepted values. Looking at
the Eclipse Runtime Options page was helpful but not enough.

I start the framework with Equinox launcher and pass these security
properties:
-Declipse.security="osgi"
-Dosgi.signedcontent.support="runtime"
-Dosgi.framework.keystore=file:/C:/DEV/SEC/myKeystore – note the keystore
is password protected.
I have a bunch of bundles in my p2 managed /plugins folder that are signed.
I also have a simple bundle that registers a conditional ALL permission to
every bundle that is signed with my keystore. Here is the string I used:
Allow {
[org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST" ]
( java.security.AllPermission “*” “*” )
}

The problem is that after my permissions bundle commits the changes
everyone loses any permission. That’s probably because my bundle populates
the conditional policy table so now it doesn’t default to <<all
permission>> but obviously my signature isn’t recognized so all bundles
lose their current permissions.

Can you help me? I must be missing something or doing it wrong…

Thank you,
Borislav
 _______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev

Follow-Ups:
- Re: [equinox-dev] keystores and signature recognition
  - From: Kapukaranov, Borislav

References:
- [equinox-dev] keystores and signature recognition
  - From: Kapukaranov, Borislav

Prev by Date: [equinox-dev] keystores and signature recognition
Next by Date: [equinox-dev] Eclipse 4.2M4 now available
Previous by thread: [equinox-dev] keystores and signature recognition
Next by thread: Re: [equinox-dev] keystores and signature recognition
Index(es):
- Date
- Thread

Breadcrumbs