felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sid19039 <sid19...@gmail.com>
Subject Re: how to enable felix verify the contents of a signed bundle
Date Thu, 15 Sep 2016 09:38:15 GMT
Hello @Karl and @Robert, again thank you so much for your help.
And I am sorry for this late reply for I got occupied in other priority
Yeah , I tried Robert's point and it worked well.
We created our security bundle which reads the following policy file to
bring it into picture via ConditionalPermissionAdmin.
policy file:
   [ org.osgi.service.condpermadmin.BundleSignerCondition "CN=XZX, O=XYX,
C=XX" ]
   ( java.security.AllPermission "*" "*")
} "Bundles Signed by XZX certificate get AllPermission"
"file:/D:/dir_A/dir_B/felix-framework 5.4.0/bundle/*"]
  (java.security.AllPermission "*" "*")
} "Existing  bundles of felix"
   (java.security.AllPermission "*" "*")
} "And give denied permissions to all bundles"

In above set of permissions, first ALLOW set of permissions gives all
permission to all bundles which are signed by our certificate. Second set of
permissions assign all permissions to all those bundles which are already
present in felix framework default bundle directory. And Third set denies
all permissions to all those bundles which are not signed by our certificate
or which are unsigned and which are not present in default bundle directory
of felix framework.

Now, signed bundles are successfully installed, become active and run fine
with all permission granted.
But we want to restrict all running bundles to not able to access any
ethernet port on device inside which our felix framework is running. How can
we deny this particular permission to a bundle?

Moreover, a bundle which is not signed or signed with any other certificate,
also gets installed in the framework without giving any security exception,
though an *unresolved exception as shown below*, appears on the console when
we try to start this unsigned bundle:

*org.osgi.framework.BundleException: Unable to resolve TCPModBus [14](R
14.0): missing requirement [TCPModBus [14](R 14.0)] osgi.wiring.package;
i.wiring.package=org.osgi.framework)(version>=1.3.0)) Unresolved
requirements: [[TCPModBus [14](R 14.0)] osgi.wiring.package;

Is there any way to prevent these unsigned bundles or bundles signed with
other certificates from even being installed into the framework?


View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018412.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.

To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org

View raw message