How to correctly use BundleSignerCondition and manage keys to make a secure OSGI environment based on bundles signature?

Question

So here is my problem : I'm trying to create a secure OSGI (knopflerfish 5.0.0) environment based on bundles signatures. I have an admin bundle that uses the Conditional Permission Admin service and update the policy table with a policy file. Everything works fine with permissions based on bundles locations : all the bundles that are located in the « sandbox » folder have restricted permissions, the others have all permissions. But I also want to grant all permissions for bundles with a particular signature, despite of their location. So here is my policy file:

ALLOW {[org.osgi.service.condpermadmin.BundleSignerCondition "*,o=Orange" ](java.security.AllPermission)} "all_signed"

DENY {[org.osgi.service.condpermadmin.BundleLocationCondition "file:/home/martinelli/Bureau/workspace/sandbox/*"](java.lang.RuntimePermission "exitVM")}"sandbox"

ALLOW { (java.security.AllPermission) }"all"

So in theory, bundles that are in the sandbox folder can't use System.exit(), except bundles signed by Orange, that have all permissions. I created 2 identical bundles, one not signed and the other signed by jarsigner with this distinguished name (created with keytool) :

X.509, CN=Martinelli Bastien, OU=test, O=Orange, L=Meylan, ST=RA, C=FR (key)

But the two bundles throw a Security Exception when I try to call System.exit().

I tried to change the filter in my BundleSignerCondition without effect. Now I think it's about the configuration of the default keystore in knopflerfish or something like that.

Do you have an idea of what's wrong with it?

Answer 1

Problem solved.

When using Bundle Signature Condition, it is necessary to configure these properties:

• org.knopflerfish.framework.validator=JKSValidator
• org.knopflerfish.framework.validator.jks.ca_certs= "keystore file path"
• org.knopflerfish.framework.validator.jks.ca_certs_password= "password"

I configured these properties in the props.xarg file. But this file is only used at the first start of the knopflerfish framework. In fact, when the framework is started for the first time, a folder named fwdir is created. this folder contains data that are used for restarting the framework.

So if this folder exist there is 3 solutions:

• run the framework with these properties (java -jar framework.jar -Forg.knopflerfish.framework.validator.jks.ca_certs="keystore file path" ...)

• set the properties in the .xargs file of the fwdir folder

• set the properties in the props.xargs file and delete the fwdir folder to force restart from init.xargs (initialization).