OSGi als App-Plattform - Ein Ausflug durch den Security-Layer

www.neat-it.de

Michael Grammling, M.Sc. Dipl.-Inform (FH)

OSGi as an App PlatformAn Excursion through the Security Layer

© Grammling und Müller GbR – neat-IT 2

System Boundaries


Packaging Apps

• Use a simple container format which can store 1..N bundles (e.g. a JAR or ZIP)• There are open standards available for container formats

• However they are often much more complex than needed• Think on using an ApplicationManifest file (e.g. XML based) for meta-information• Think on signing the content of the container


Certify Apps

• Usually Apps are certified by a certification department• If specific permissions, which the App acquires, are critical, reject the App• Do runtime checks• An automatic certification suite can help (can be complex)• If the App is accepted, deploy it in a clean software repository


Sell and Deploy Apps

• The customer buys an App in the shop• The app is deployed (e.g. automatically) on

the App Platform through a provisioningservice (can be part of the App Repository)


Protect Access

• Usually there are direct connections to theApp Platform (e.g. by Telnet, SSH, Web-Clientor Rich-Client user interfaces)• Use a proxy service on the App Platform to

manage access rights


Requirements


The OSGi-Specification


The Security Layer


OSGi Security-Mechanisms

► OSGi Bundle-Authentication

► Bundle-Location

► Bundle-Signatures

► Conditional Permission Admin

► Visibility rules on level of Java packages

► User Admin (part of the OSGi Compendium)


OSGi Bundle-Signatures – Overall

► Bundle-Location

► Wires a Bundle with the installation location, which is persisted

► Could be a location in the local file system or an internet address

► Can be simply tampered e.g. by „mount points“

► Bundle-Signatures

► Authenticates the originator

► Shows modifications on the data itself

► Requires a PKI (Public Key Infrastructure)

► Bundle-Locations as well as Bundle-Signatures can be usedfor definitions of permissions

► Bundle-Signatures are an optional feature in OSGi


Java Key Store

► Is a repository for certificates

► Consists of one file (e.g. with the file extension *.jks)

► Can be managed using the tool „keytool“ from the JDK

Schlüssel- und Zertifikatsverwaltungstool

Befehle:

-certreq Generiert eine Zertifikatanforderung-changealias Ändert den Alias eines Eintrags-delete Löscht einen Eintrag-exportcert Exportiert ein Zertifikat-genkeypair Generiert ein Schlüsselpaar-genseckey Generiert einen Secret Key-gencert Generiert ein Zertifikat aus einer Zertifikatanforderung-importcert Importiert ein Zertifikat oder eine Zertifikatkette-importkeystore Importiert einen oder alle Einträge aus einem anderen Keystore-keypasswd Ändert das Schlüsselkennwort eines Eintrags-list Listet die Einträge in einem Keystore auf-printcert Druckt den Content eines Zertifikats-printcertreq Druckt den Content einer Zertifikatanforderung-printcrl Druckt den Content einer CRL-Datei-storepasswd Ändert das Speicherkennwort eines Keystores

"keytool -command_name -help" für Verwendung von command_name verwenden


Structure of a Certificate

► Check public key by requesting the Public Authority (Trust Center)

► Check signature: decrypt(public_key, signature) = digest


OSGi Bundle-Signature Files

► Resources within the META-INF directory are not signed

► A Bundle can be signed from more than one originator


Signing Bundles – jarsigner

► Bundles can be signed using the tool „jarsigner“ from the JDK

jarsigner -keystore my-keystore.jks -storepass my-store-password myjar.jar my-alias

Warning:The signer certificate will expire within six months.The signer's certificate chain is not validated.


Signing Bundles – Maven

► Bundles can be signed using a Maven-Plugin

…

<build>

…

<plugins>

<plugin>

<groupId>org.apache.maven.plugins</groupId>

<artifactId>maven-jarsigner-plugin</artifactId>

<version>1.2</version>

<executions>

<execution>

<id>sign</id>

<goals>

<goal>sign</goal>

</goals>

</execution>

</executions>

<configuration>

<keystore>C:/my-keystore.jks</keystore>

<alias>my-alias</alias>

<storepass>my-store-password</storepass>

<keypass>my-keypassword</keypass>

</configuration>

</plugin>

…

</plugins>

</build>

…


Activate the Security-Layer

► System Variables of the JVM

Property-Key Value Description

java.security.policy <File> Policy file, which the OSGi Service Platform should use itself.

org.osgi.framework.security osgi Activates the Security-Layer of OSGi. A specific OSGi Security-Manager is usednow. Using this parameter enables also the (Conditional) Permission Admin.

org.osgi.framework.trust.repositories <Files> List of Java-Keystores.


► The file „all.policy“

► Usually the OSGi-Framework requires full access

► -Djava.security.policy=all.policy

► Take care to restrict the rights of the JVM itself

The Policy File for OSGi

grant {

permission java.security.AllPermission;

};


Conditional Permission Admin

► Offers authorization during runtime

► Review – Bundle-Signatures: Checks only integrity

► Defining permissions during runtime

► Simplification comparing to Java 2 Security

• ALLOW, DENY and reverse rules can be defined

► OSGi specific extensions comparing to Java 2 Security

• E.g. setting the permission to register a service


Local Permissions of a Bundle

► The developer defines specific permissions for the Bundle

► E.g. Access to the file system or using a service

► Local permissions are defined in the ASCII file „permissions.perm“in the directory of the Bundle „OSGI-INF“

► The OSGi Platform ensures that the Bundle gets only these permissionsthe developer has specified in the „permissions.perm“ file

…# Accept exporting and re-importing package of service interface(org.osgi.framework.PackagePermission

"de.telekom.connectedhome.services.clock.*" "exportonly,import")

# Accept registering a concrete service(org.osgi.framework.ServicePermission

"de.telekom.connectedhome.services.clock.TimeService" "register")…


Globale Permissions in the System

► Sandboxes can be defined for the OSGi platform for all or a set of Bundles using:

► Bundle signatures

► Bundle location

► Global permissions must be set by using the Conditional Permission Admin service

► The OSGi specification defines also a textual format and a parser for it:

…ALLOW {[org.osgi.service.condpermadmin.BundleLocation "file:foo.jar"](org.osgi.framework.PackagPermission "*" "import")

} "allow-all-packages"

ALLOW {[org.osgi.service.condpermadmin.BundleSignerCondition "CN=cn, OU=ou, O=o, ST=st, C=c"](java.security.AllPermission "*" "*")

} "allow-all-signed-bundles"…


Bundle Protection Domains


Permissions in OSGi

► PackagePermission

► Restrict the import- and export of Java packages

► BundlePermission

► Restrict access to Bundles (e.g. Require-Bundle)

► AdminPermission

► Restrict management access (e.g. lifecycle)

► ServicePermission

► Restrict registering and using services

Luise-Riegger-Str. 21 ● 76137 Karlsruhe

www.neat-it.deGrammling und Müller GbR

Technology

OSGi als App-Plattform - Ein Ausflug durch den Security-Layer