You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2012/07/21 13:39:34 UTC
[jira] [Created] (FELIX-3603) Resources in META-INF/xxx/ fodlers in
a signed bundle should be checked
Guillaume Nodet created FELIX-3603:
--------------------------------------
Summary: Resources in META-INF/xxx/ fodlers in a signed bundle should be checked
Key: FELIX-3603
URL: https://issues.apache.org/jira/browse/FELIX-3603
Project: Felix
Issue Type: Bug
Components: Framework Security
Reporter: Guillaume Nodet
See section 2.3.2 of the OSGi Core spec,
Bundles do not support partially signed bundles. The manifest must contain name sections for all resources but should not have entries for resources in the META-INF directory. Signed entries in the META-INF directory must be verified. Sub directories of META-INF must be treated like any other JAR directory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3603) Resources in META-INF/xxx/ fodlers
in a signed bundle should be checked
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3603?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13419801#comment-13419801 ]
Guillaume Nodet commented on FELIX-3603:
----------------------------------------
The problem is located in the following method:
https://github.com/apache/felix/blob/trunk/framework.security/src/main/java/org/apache/felix/framework/security/verifier/BundleDNParser.java#L271
The verifier ignores all META-INF/xxx entries but it should check resources located inside a subfolder of META-INF as specified in the spec.
> Resources in META-INF/xxx/ fodlers in a signed bundle should be checked
> -----------------------------------------------------------------------
>
> Key: FELIX-3603
> URL: https://issues.apache.org/jira/browse/FELIX-3603
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Reporter: Guillaume Nodet
>
> See section 2.3.2 of the OSGi Core spec,
> Bundles do not support partially signed bundles. The manifest must contain name sections for all resources but should not have entries for resources in the META-INF directory. Signed entries in the META-INF directory must be verified. Sub directories of META-INF must be treated like any other JAR directory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (FELIX-3603) Resources in META-INF/xxx/ fodlers
in a signed bundle should be checked
Posted by "Karl Pauls (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Pauls reassigned FELIX-3603:
---------------------------------
Assignee: Karl Pauls
> Resources in META-INF/xxx/ fodlers in a signed bundle should be checked
> -----------------------------------------------------------------------
>
> Key: FELIX-3603
> URL: https://issues.apache.org/jira/browse/FELIX-3603
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
>
> See section 2.3.2 of the OSGi Core spec,
> Bundles do not support partially signed bundles. The manifest must contain name sections for all resources but should not have entries for resources in the META-INF directory. Signed entries in the META-INF directory must be verified. Sub directories of META-INF must be treated like any other JAR directory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (FELIX-3603) Resources in META-INF/xxx/ fodlers
in a signed bundle should be checked
Posted by "Karl Pauls (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Pauls resolved FELIX-3603.
-------------------------------
Resolution: Fixed
Fix Version/s: framework.security-2.2.0
I added a check which should make this work. Can you please check the current trunk? Thanks.
> Resources in META-INF/xxx/ fodlers in a signed bundle should be checked
> -----------------------------------------------------------------------
>
> Key: FELIX-3603
> URL: https://issues.apache.org/jira/browse/FELIX-3603
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
> Fix For: framework.security-2.2.0
>
>
> See section 2.3.2 of the OSGi Core spec,
> Bundles do not support partially signed bundles. The manifest must contain name sections for all resources but should not have entries for resources in the META-INF directory. Signed entries in the META-INF directory must be verified. Sub directories of META-INF must be treated like any other JAR directory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (FELIX-3603) Resources in META-INF/xxx/ fodlers
in a signed bundle should be checked
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet reopened FELIX-3603:
------------------------------------
> Resources in META-INF/xxx/ fodlers in a signed bundle should be checked
> -----------------------------------------------------------------------
>
> Key: FELIX-3603
> URL: https://issues.apache.org/jira/browse/FELIX-3603
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
> Fix For: framework.security-2.2.0
>
>
> See section 2.3.2 of the OSGi Core spec,
> Bundles do not support partially signed bundles. The manifest must contain name sections for all resources but should not have entries for resources in the META-INF directory. Signed entries in the META-INF directory must be verified. Sub directories of META-INF must be treated like any other JAR directory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3603) Resources in META-INF/xxx/ fodlers
in a signed bundle should be checked
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3603?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13423568#comment-13423568 ]
Guillaume Nodet commented on FELIX-3603:
----------------------------------------
It seems there is a problem.
The java.util.jar.JarVerifier class ignores all entries inside the META-INF folder, so even if those are signed, they won't be verified.
I'm investigating a work around.
> Resources in META-INF/xxx/ fodlers in a signed bundle should be checked
> -----------------------------------------------------------------------
>
> Key: FELIX-3603
> URL: https://issues.apache.org/jira/browse/FELIX-3603
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
> Fix For: framework.security-2.2.0
>
>
> See section 2.3.2 of the OSGi Core spec,
> Bundles do not support partially signed bundles. The manifest must contain name sections for all resources but should not have entries for resources in the META-INF directory. Signed entries in the META-INF directory must be verified. Sub directories of META-INF must be treated like any other JAR directory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3603) Resources in META-INF/xxx/ fodlers
in a signed bundle should be checked
Posted by "Karl Pauls (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3603?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420268#comment-13420268 ]
Karl Pauls commented on FELIX-3603:
-----------------------------------
Good catch. I'll take care of it. Thanks.
> Resources in META-INF/xxx/ fodlers in a signed bundle should be checked
> -----------------------------------------------------------------------
>
> Key: FELIX-3603
> URL: https://issues.apache.org/jira/browse/FELIX-3603
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
>
> See section 2.3.2 of the OSGi Core spec,
> Bundles do not support partially signed bundles. The manifest must contain name sections for all resources but should not have entries for resources in the META-INF directory. Signed entries in the META-INF directory must be verified. Sub directories of META-INF must be treated like any other JAR directory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (FELIX-3603) Resources in META-INF/xxx/ fodlers
in a signed bundle should be checked
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet resolved FELIX-3603.
------------------------------------
Resolution: Fixed
Fixed with http://svn.apache.org/viewvc?rev=1366310&view=rev
> Resources in META-INF/xxx/ fodlers in a signed bundle should be checked
> -----------------------------------------------------------------------
>
> Key: FELIX-3603
> URL: https://issues.apache.org/jira/browse/FELIX-3603
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
> Fix For: framework.security-2.2.0
>
>
> See section 2.3.2 of the OSGi Core spec,
> Bundles do not support partially signed bundles. The manifest must contain name sections for all resources but should not have entries for resources in the META-INF directory. Signed entries in the META-INF directory must be verified. Sub directories of META-INF must be treated like any other JAR directory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira