Java Reference
In-Depth Information
You have everything in place now, which means we can look into signing bundles to
make them members of one of your domains.
SIGNING BUNDLES
A bundle
JAR
file can be signed by multiple signers; the signing follows normal Java
JAR
signing rules. The only additional constraint for a bundle is that all entries inside
the bundle must be included in the signature, but entries below the
META-INF
/ direc-
tory aren't included. Normal Java
JAR
file signing allows for partially signed
JAR
files,
but
OSG
i doesn't. It's lucky that signing all entries except those below
META-INF
/ is
the default in
JAR
signing, so you can use the
jarsigner
tool included in the
JDK
. The
following will sign a bundle with your core private key:
jarsigner -keystore file:keys.ks \
-storepass foobar -keypass barbaz core-bundle.jar core
Signing another bundle with your third-party private key looks very similar. You specify
the appropriate alias:
jarsigner -keystore file:keys.ks \
-storepass foobar -keypass barbaz third-party-bundle.jar third-party
For verification, you need the keystore containing the certificates. You can use the
jarsigner
tool for verification as well:
jarsigner -verify -keystore file:certificates.ks core-bundle.jar
jarsigner -verify -keystore file:certificates.ks third-party-bundle.jar
This command should output
jar verified
if you've correctly signed the bundles.
Assuming you have, you now have one bundle in the core domain and one in the
third-party domain. This makes it easy for you to grant permissions to either, based on
the signer of a bundle, as you'll see next.
14.5.3
BundleSignerCondition
To a s s i g n p e r m i s s i o n s t o b u n d l e s b a s e d o n w h o s i g n e d t h e m , y o u n e e d a c o n d i t i o n .
The
OSG
i specification defines the
BundleSignerCondition
for certificate matching,
which is specifically based on
DN
matching.
DN
matching can seem somewhat compli-
cated, but it needn't be. We'll discuss the details of it shortly; first, let's look at how you
construct a
BundleSignerCondition
.
The
BundleSignerCondition
is initialized with a
DN
matching expression as
its first argument and an optional second argument of
!
. If you specify the excla-
mation mark, it negates the result of the
DN
matching expression. Consider the
following snippet of an encoded
ConditionalPermissionInfo
object containing a
BundleSignerCondition
:
ACCEPT {
[org.osgi.service.condpermadmin.BundleSignerCondition "CN=core,O=baz,C=de"]
...
}
This matches a bundle on the call stack if it's signed by the core certificate of the
example, which means any permissions associated with this entry will be granted to