OSGi als App-Plattform - Ein Ausflug durch den Security-Layer

www.neat-it.de

OSGi as an App Platform
An Excursion through the Security Layer
Michael Grammling, M.Sc. Dipl.-Inform (FH)

System Boundaries

© Grammling und Müller GbR – neat-IT

2

Packaging Apps

• Use a simple container format which can store 1..N bundles (e.g. a JAR or ZIP)
• There are open standards available for container formats
• However they are often much more complex than needed
• Think on using an ApplicationManifest file (e.g. XML based) for meta-information
• Think on signing the content of the container


3

Certify Apps

• Usually Apps are certified by a certification department
• If specific permissions, which the App acquires, are critical, reject the App
• Do runtime checks
• An automatic certification suite can help (can be complex)
• If the App is accepted, deploy it in a clean software repository


4

Sell and Deploy Apps
• The customer buys an App in the shop
• The app is deployed (e.g. automatically) on
the App Platform through a provisioning
service (can be part of the App Repository)


5

Protect Access
• Usually there are direct connections to the
App Platform (e.g. by Telnet, SSH, Web-Client
or Rich-Client user interfaces)
• Use a proxy service on the App Platform to
manage access rights


6

Requirements


7

The OSGi-Specification


8

The Security Layer


9

OSGi Security-Mechanisms
► OSGi Bundle-Authentication
► Bundle-Location
► Bundle-Signatures
► Conditional Permission Admin
► Visibility rules on level of Java packages
► User Admin (part of the OSGi Compendium)


10

OSGi Bundle-Signatures – Overall
► Bundle-Location
► Wires a Bundle with the installation location, which is persisted
► Could be a location in the local file system or an internet address
► Can be simply tampered e.g. by „mount points“
► Bundle-Signatures
► Authenticates the originator
► Shows modifications on the data itself
► Requires a PKI (Public Key Infrastructure)
► Bundle-Locations as well as Bundle-Signatures can be used

for definitions of permissions
► Bundle-Signatures are an optional feature in OSGi


11

Java Key Store
► Is a repository for certificates
► Consists of one file (e.g. with the file extension *.jks)
► Can be managed using the tool „keytool“ from the JDK
Schlüssel- und Zertifikatsverwaltungstool
Befehle:

-certreq
-changealias
-delete
-exportcert
-genkeypair
-genseckey
-gencert
-importcert
-importkeystore
-keypasswd
-list
-printcert
-printcertreq
-printcrl
-storepasswd

Generiert eine Zertifikatanforderung
Ändert den Alias eines Eintrags
Löscht einen Eintrag
Exportiert ein Zertifikat
Generiert ein Schlüsselpaar
Generiert einen Secret Key
Generiert ein Zertifikat aus einer Zertifikatanforderung
Importiert ein Zertifikat oder eine Zertifikatkette
Importiert einen oder alle Einträge aus einem anderen Keystore
Ändert das Schlüsselkennwort eines Eintrags
Listet die Einträge in einem Keystore auf
Druckt den Content eines Zertifikats
Druckt den Content einer Zertifikatanforderung
Druckt den Content einer CRL-Datei
Ändert das Speicherkennwort eines Keystores

"keytool -command_name -help" für Verwendung von command_name verwenden


12

Structure of a Certificate

► Check public key by requesting the Public Authority (Trust Center)
► Check signature: decrypt(public_key, signature) = digest


13

OSGi Bundle-Signature Files

► Resources within the META-INF directory are not signed
► A Bundle can be signed from more than one originator


14

Signing Bundles – jarsigner
► Bundles can be signed using the tool „jarsigner“ from the JDK
jarsigner -keystore my-keystore.jks -storepass my-store-password myjar.jar my-alias

Warning:
The signer certificate will expire within six months.
The signer's certificate chain is not validated.


15

Signing Bundles – Maven
► Bundles can be signed using a Maven-Plugin
…
<build>
…
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.2</version>
<executions>
<execution>
<id>sign</id>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
<configuration>
<keystore>C:/my-keystore.jks</keystore>
<alias>my-alias</alias>
<storepass>my-store-password</storepass>
<keypass>my-keypassword</keypass>
</configuration>
</plugin>
…
</plugins>
</build>
…


16

Activate the Security-Layer
► System Variables of the JVM
Property-Key

Value

Description

java.security.policy

<File>

Policy file, which the OSGi Service
Platform should use itself.

org.osgi.framework.security

osgi

Activates the Security-Layer of OSGi. A
specific OSGi Security-Manager is used
now. Using this parameter enables also
the (Conditional) Permission Admin.

org.osgi.framework.trust.repositories

<Files>

List of Java-Keystores.


17

The Policy File for OSGi
► The file „all.policy“
► Usually the OSGi-Framework requires full access
► -Djava.security.policy=all.policy
► Take care to restrict the rights of the JVM itself

grant {
permission java.security.AllPermission;
};


18

Conditional Permission Admin
► Offers authorization during runtime
► Review – Bundle-Signatures: Checks only integrity

► Defining permissions during runtime
► Simplification comparing to Java 2 Security

• ALLOW, DENY and reverse rules can be defined
►

OSGi specific extensions comparing to Java 2 Security

• E.g. setting the permission to register a service


19

Local Permissions of a Bundle
► The developer defines specific permissions for the Bundle
► E.g. Access to the file system or using a service
► Local permissions are defined in the ASCII file „permissions.perm“

in the directory of the Bundle „OSGI-INF“
► The OSGi Platform ensures that the Bundle gets only these permissions
the developer has specified in the „permissions.perm“ file
…
# Accept exporting and re-importing package of service interface
(org.osgi.framework.PackagePermission
"de.telekom.connectedhome.services.clock.*" "exportonly,import")

# Accept registering a concrete service
(org.osgi.framework.ServicePermission
"de.telekom.connectedhome.services.clock.TimeService" "register")
…


20

Globale Permissions in the System
► Sandboxes can be defined for the OSGi platform for all or a set of Bundles using:
► Bundle signatures
► Bundle location

► Global permissions must be set by using the Conditional Permission Admin service
► The OSGi specification defines also a textual format and a parser for it:
…
ALLOW {
[org.osgi.service.condpermadmin.BundleLocation "file:foo.jar"]
(org.osgi.framework.PackagPermission "*" "import")
} "allow-all-packages"
ALLOW {
[org.osgi.service.condpermadmin.BundleSignerCondition "CN=cn, OU=ou, O=o, ST=st, C=c"]
(java.security.AllPermission "*" "*")
} "allow-all-signed-bundles"
…

21

Bundle Protection Domains


22

Permissions in OSGi
► PackagePermission
► Restrict the import- and export of Java packages
► BundlePermission
► Restrict access to Bundles (e.g. Require-Bundle)
► AdminPermission
► Restrict management access (e.g. lifecycle)
► ServicePermission
► Restrict registering and using services


23

Luise-Riegger-Str. 21 ● 76137 Karlsruhe

Grammling und Müller GbR

www.neat-it.de

OSGi als App-Plattform - Ein Ausflug durch den Security-Layer

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie OSGi als App-Plattform - Ein Ausflug durch den Security-Layer

Ähnlich wie OSGi als App-Plattform - Ein Ausflug durch den Security-Layer (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

OSGi als App-Plattform - Ein Ausflug durch den Security-Layer