Return-Path: X-Original-To: apmail-incubator-celix-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-celix-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 136341023B for ; Thu, 14 Nov 2013 09:53:45 +0000 (UTC) Received: (qmail 82755 invoked by uid 500); 14 Nov 2013 09:52:19 -0000 Delivered-To: apmail-incubator-celix-dev-archive@incubator.apache.org Received: (qmail 82451 invoked by uid 500); 14 Nov 2013 09:51:58 -0000 Mailing-List: contact celix-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: celix-dev@incubator.apache.org Delivered-To: mailing list celix-dev@incubator.apache.org Received: (qmail 82263 invoked by uid 99); 14 Nov 2013 09:51:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Nov 2013 09:51:37 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of a.broekhuis@gmail.com designates 209.85.128.51 as permitted sender) Received: from [209.85.128.51] (HELO mail-qe0-f51.google.com) (209.85.128.51) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Nov 2013 09:51:33 +0000 Received: by mail-qe0-f51.google.com with SMTP id t7so1061237qeb.38 for ; Thu, 14 Nov 2013 01:51:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ySRBG+8c/bTHCWxfwxeLFvwuUet5+7BkTUC9u7tXHfo=; b=SFplC93vJ04y3OIehTlUu6cwTPzk8qeRVlsI0q/B/zCE8Jj/uEWD062g+576bVkIMq SrOumcRmEx6ZMCJYYBc77yO8rJdfpA140Ppjw6330wY6QnrBcOkVyVFDs03Me5/iZriS MJwzIw6lC/JtcoBdhN33xGIWAJpFrcX8hbhjIQw9/paGFJqymA9y+1U88HvJGamp1a9W YwkF/47XyOXk4qmbnDOnJnXPx/btBYCQrxR9f/FKDfq/CRxvDVGYEJjEmZ+czw+by7+2 Oh7MEjQZ+szjPemQBbu/XtJ6sOrSS8np2g6Ij4MisZIdw5qlc3lWW3OkG6d4acIeZJjD LYZA== MIME-Version: 1.0 X-Received: by 10.224.50.207 with SMTP id a15mr646025qag.35.1384422672602; Thu, 14 Nov 2013 01:51:12 -0800 (PST) Received: by 10.96.158.38 with HTTP; Thu, 14 Nov 2013 01:51:12 -0800 (PST) In-Reply-To: References: Date: Thu, 14 Nov 2013 10:51:12 +0100 Message-ID: Subject: Re: Implementing security features in Celix From: Alexander Broekhuis To: celix-dev@incubator.apache.org Content-Type: multipart/alternative; boundary=047d7bdc17849e9d8804eb200587 X-Virus-Checked: Checked by ClamAV on apache.org --047d7bdc17849e9d8804eb200587 Content-Type: text/plain; charset=ISO-8859-1 Hi, Just my thoughts for this topic. 2013/11/14 > > > What is the best way to implement security features (e.g. signed bundles) > > into Celix? > > - include it as a linked library? > > - put it directly into the framework? > > - or create a security bundle, but make sure it loads first? > > What are the advantages and disadvantages of the options? Would for > example having a bundle give the option to reuse parts of the security > bundle to do data encryption? > Per option: * Linked library: Benefit: Inherent part of the framework, security is always available. Drawback: Additional dependencies (ssl etc). * Directly into the framework: Same as with a library. * Bundle: Benefit: Can be enabled/disabled Drawback: Should be loaded first, Celix doesn't have StartLevel support, and I doubt this is a good usecase for it... Some more info. At first I thought Java OSGi solely relies on Java's own mechanisms. But this isn't the case. The OSGi specification states that is has a more restricted usage, ie normally Jars can be signed partially, OSGi doesn't allow this. So looking into how Felix solved it; They use a bundle, but not a normal bundle. Security is deployed in an extension bundle. Extension bundles are detailed in the spec and state that the framework has to be restarted when an extension is installed/updated/removed. What does this mean for Celix? At the moment Celix doesn't support Extension bundles because there is no code sharing support. So for now having security in a bundle doesn't make sense. Also seeing that an Extension Bundles extends the Framework, a linked library might make more sense. But, directly linking with a library creates additional dependencies, so a better solution would be to use a library and at startup check if it is available and load the library and its symbols only then. This gives the user flexibility wrt compilation/linking and in usage. > > > Concerning activation and configuration: > > - include a configuration option to (de)activate the requirement of > signed > > bundles? > > - choose whether or not signed bundles are required prior to compilation, > > such that it becomes an always on/off feature? > >From a security standpoint I see several options: * No security at all: For example disabling the security option in the build because of missing dependencies * Required: Security is available and should be used. This means all bundles being installed MUST be signed and validated. * Optional: Security is available and can be used. This means that bundles with signing information are validated, others are just installed. As for where these options should be? a) Having an option gives more freedom b) But having an option might give to much freedom, build-in is more secure. So I think it can be a build option without the need for configuration * Build-options: Security Required/Security Optional/Security Disabled Required implies always on, everything must be signed Optional implies that signed bundles are verified Disabled implies that signing information is simply ignored > > I think having the option to toggle the requirement after compilation > would be nice to have because it allows you to compile the framework once > and use it on multiple systems. > Considering this, I think a sane default would be the Optional build settings. If really needed an additional configuration option could be used to make it required via configuration. Wdyt? -- Met vriendelijke groet, Alexander Broekhuis --047d7bdc17849e9d8804eb200587--