Stuart winchester in Java 2 minutes

Running Different Security Provider Jars In Karaf

I recently did some work at a client who were using a 3rd party provided java library in order to encrypt and decrypt data. This library had a specific algorithm, and would also use System.LoadLibrary() in order to load the jar. Their chosen platform was Jboss Fuse, the karaf flavour.

The client also had some bundles which were trying to use packages contained within the 3rd party java library. In order to use this library correctly, we needed to ensure the provider was installed in the JRE folder $JAVA_HOME/jre/lib/ext and that the security policy configuration was modified at $JAVA_HOME/jre/lib/security/java.security. Also, the bootdelegation needed to changed. In order to find out which packages we needed to add to boot delegation, we initially installed the jar, and inspected the osgi headers.

osgi:install -s wrap:mvn:com.myprovider/security-provider/1.0
Bundle Id 123 Installed
> headers 123
Export-Package =
com.myprovider.secprovider;uses:="com.myprovider.secprovider.ec,com.myprovider.secprovider.provider.key",
com.myprovider.secprovider.X509;uses:="javax.crypto.interfaces,javax.security.auth.x500",
com.myprovider.secprovider.der,
com.myprovider.secprovider.ec;uses:=com.myprovider.secprovider.der,
com.myprovider.secprovider.provider;uses:="com.myprovider.secprovider,com.myprovider.secprovider.X509,javax
.security.auth.x500",
com.myprovider.secprovider.provider.cipher;uses:="com.myprovider.secprovider.provider.key,javax.cryp
to",
com.myprovider.secprovider.provider.digest,
com.myprovider.secprovider.provider.key;uses:="com.myprovider.secprovider,javax.crypto,javax.crypto.
interfaces,javax.crypto.spec",
com.myprovider.secprovider.provider.keyagree;uses:=javax.crypto,
com.myprovider.secprovider.provider.keyfactory;uses:="com.myprovider.secprovider.provider.key,javax.
crypto,javax.crypto.spec",
com.myprovider.secprovider.provider.keygen;uses:="com.myprovider.secprovider,javax.crypto",
com.myprovider.secprovider.provider.mac;uses:=javax.crypto,
com.myprovider.secprovider.provider.param;uses:=com.myprovider.secprovider.ec,
com.myprovider.secprovider.provider.signature
...

We can now see that the following packages would need to be added to the etc/config.properties for org.osgi.framework.bootdelegation

org.osgi.framework.bootdelegation = ...,com.myprovider.secprovider,com.myprovider.secprovider.*,com.myprovider.secprovider.provider.*

The above will make those security java packages available to all the bundles inside the karaf container. Therefore, no bundles should explicitly import them, since they are available in the container. Therefore in some instances we needed to explictly state that the bundles should not import those packages. The maven-bundle-plugin Import-Package configuration instruction can be used to explicitly ignore these packages. Example as below:

<plugin>
	<groupId>org.apache.felix</groupId>
	<artifactId>maven-bundle-plugin</artifactId>
	<version>${maven-bundle-plugin.version}</version>
	<extensions>true</extensions>
	<configuration>
		<instructions>
			<Bundle-SymbolicName>com.app.bundle</Bundle-SymbolicName>
			<Bundle-Name>mybyundle</Bundle-Name>
			<Import-Package>!com.myprovider.secprovider,!com.myprovider.secprovider.*,!com.myprovider.secprovider.provider.*</Import-Package>
		</instructions>
	</configuration>
	<executions>
		<execution>
			<id>bundle-manifest</id>
			<phase>process-classes</phase>
			<goals>
				<goal>manifest</goal>
			</goals>
		</execution>
	</executions>
</plugin>

References