Skip to main content

How to add security plugin in ME Framework 1.2 for CDC mode ?

7 replies [Last post]
murali_reddy219
Offline
Joined: 2007-10-25
Points: 0

Hi vladimir,

In present ME Framework 1.2, there is no security plugin for CDC implementation mode.
How can we add that security plugin? Actually i want sign TCK Tests with particular certificate. Any plans of iadding security plugin in CDC mode?

Thanks & Regards
Muralidhar Reddy M

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Vladimir Sizikov

Hi Murali,

There is no need for security plugin in CDC mode. The security
environments in MIDP and CDC stacks are very different. CDC basically
uses a subset from Java SE.

So, basically, you just launch a test agent on CDC side (and you could
specify an appropriate security policy for it, but it depends on actual
implementation. In most cases (at least for reference implementations),
the mechanism is identical to Java SE.

Typically, in CDC stack TCKs, we just provide a minimum list of required
permissions the users have to grant the test agent in order for the
test run to be successful (e.g., a permission to connect to the remote
host must be granted, or the test agent won't be able to talk to
JavaTest harness, etc).

Thanks,
--Vladimir

On 4/16/2008 2:20 PM, meframework@mobileandembedded.org wrote:
> Hi vladimir,
>
>
> In present ME Framework 1.2, there is no security plugin for CDC implementation mode.
> How can we add that security plugin? Actually i want sign TCK Tests with particular certificate. Any plans of iadding security plugin in CDC mode?
>
>
>
> Thanks & Regards
> Muralidhar Reddy M
> [Message sent by forum member 'murali_reddy219' (murali_reddy219)]
>
> http://forums.java.net/jive/thread.jspa?messageID=269466
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: meframework-unsubscribe@cqme.dev.java.net
> For additional commands, e-mail: meframework-help@cqme.dev.java.net
>
[vladimir_sizikov.vcf]
---------------------------------------------------------------------
To unsubscribe, e-mail: meframework-unsubscribe@cqme.dev.java.net
For additional commands, e-mail: meframework-help@cqme.dev.java.net

murali_reddy219
Offline
Joined: 2007-10-25
Points: 0

Hi vladimir,

I did not understand completely. Actually my intention is to sign the tests with different certificate.
Is there any way to specify signing of tests in CDC mode? i.e in MIDP,we are signing the Tests using JKSigner Class, in the same way can we sign tests in CDC mode also?

Does the Framework executes signed (with some certificate) tests in CDC mode?

Thanks,
Murali

Vladimir Sizikov

Hi Murali,

On 4/17/2008 12:15 PM, meframework@mobileandembedded.org wrote:
> I did not understand completely. Actually my intention is to sign the tests with different certificate.
> Is there any way to specify signing of tests in CDC mode?

Nope, there is no way to do that (and typically, there is no need for
that). Since the framework is not packaging the tests into the test
bundles in CDC mode, there is nothing to sign.

All we do in CDC mode, is we start the CDC agent on CDC side (a small
program that fetches the tests in form of class files dynamically from
the Java SE side, and executes them).

You *could* provide different security settings for the CDC agent when
you start it, via standard means on particular platform (in most cases,
if the implementation is similar no CDC Reference Implementation, you
could just provide either 'java.policy' file or custom SecurityManager,
exactly the same as with Java SE).

Thanks,
--Vladimir
[vladimir_sizikov.vcf]
---------------------------------------------------------------------
To unsubscribe, e-mail: meframework-unsubscribe@cqme.dev.java.net
For additional commands, e-mail: meframework-help@cqme.dev.java.net

murali_reddy219
Offline
Joined: 2007-10-25
Points: 0

Hi vladimir,

Thank you very much for all your support.

>You *could* provide different security settings for the CDC agent when
> you start it, via standard means on particular platform (in most cases,
> if the implementation is similar no CDC Reference Implementation, you
> could just provide either 'java.policy' file or custom SecurityManager,
> exactly the same as with Java SE).

Do you have any idea of doing that as you told above?

Why i am specifically asking that,becoz i have a test (test cases) where it must work for trusted tests only.It must Throw exception for untrusted.

How can we do that using 'java.policy' or custom SecurityManager?

can you please help me in this issue?.

Thanks,
Murali

Vladimir Sizikov

Hi Murali,

> Do you have any idea of doing that as you told above?
>
> Why i am specifically asking that,becoz i have a test (test cases) where it must work for trusted tests only.
> It must Throw exception for untrusted.
>
> How can we do that using 'java.policy' or custom SecurityManager?

Oh, now I understand what you're trying to do. And I *think* we did
something similar in some of our TCKs in the past too. There was a
special "permission mapper" class that mapped the MIDP permissions
(essentially, strings) to CDC-stack permission objects, and we had a
SecurityManager to enforce those permissions.

Let me dig up this a bit and I'll get back to you with more info.

Thanks,
--Vladimir
[vladimir_sizikov.vcf]
---------------------------------------------------------------------
To unsubscribe, e-mail: meframework-unsubscribe@cqme.dev.java.net
For additional commands, e-mail: meframework-help@cqme.dev.java.net

murali_reddy219
Offline
Joined: 2007-10-25
Points: 0

Hi vladimir,

Sorry for disturbing.

> Let me dig up this a bit and I'll get back to you with more info.

Can you tell me how to do that?.

actually upto now i tried by signing main_agent.jar. First i signed main_agent.jar with my own created Keystore file. After that using policytool.exe, i changed the java.policy file correcsponding to my keystore. Finally i run that jar file from CDC Tool kit using the following command. All my jsr dlls are stored in CDCTK bin directory.

emulator.exe -Djava.security.manager -Djava.security.policy=="C:\Java\jdk1.5.0_07\lib\security\java.policy" -cp main_agent.jar com.sun.tck.j2me.agent.AgentMain -tcp -activeHost localhost -trace

But while calling our jsr API in the test case, i am getting java.lang.ExceptionInInitializerError exception....

Actually the way i am doing is wrong, but i tried...

what is that exception?But without security signing , all tests are passed.

Thanks,
Murali

Vladimir Sizikov

Hi Murali,

I'm sorry for the delay with the answer, I had an unplanned vacation and
just returned back to work.

> Can you tell me how to do that?.

The idea is to take the MIDP-security tests *unmodified* and try to map
their security environment to similar CDC environment.

Say, some test has "grant" and/or "deny" fields in its test description,
essentially specifying the test expectations for the security
environment: which permissions must be granted and which must be denied.

The ME Framework provides special script class:

com.sun.tck.j2me.javatest.MidpOnCdcSecurityScript

that you could use in your test suite, specifying it in, say,
createTestScript() method in your test suite class (you'd need to set it
only in case when you run in CDC mode).

Then, a specific 'mapper' betwen MIDP and CDC permisisons needs to be
created and defined for your particular test suite.
The interface it needs to implement is:
com.sun.tck.cdc.lib.security.MidpToCdcPermissionsMapper

That's the core class that does the actual conversion between MIDP and
CDC permissions (at least for those permissions relevant to your
particular test suite). So, the MidpOnCdcSecurityScript, when looking at
the test description, would know which permissions to grant/deny, and
using the mapper it would convert the MIDP-style permissions to CDC
security environment.

Then, a custom SecurityManager would be installed, and it will use the
info from the above to allow/deny the permissions. So, if, say
"abc.feature" permission was specified in "deny" field in the test
description, then the Script class will map it to the CDC style
permissions and will deny those in the SecurityManager, thus the very
same test, expecting the permission to be denied, will be able to run in
both environments, in CDC and MIDP.

This is rather advanced topic and we didn't expect that this
functionality would be requested/needed by open source users of ME
Framework, and hence it's not extensively documented in our docs. Also,
it's not always even possible to have 100% correct mapping between MIDP
and CDC permissisons in some cases.

If you think that the outline of the process above matches your needs,
I'd suggest to start exploring the MidpOnCdcSecurityScript source code
to see what's needed by the script and how to use it.

Another alternative would be to leave MIDP specific security tests alone
and write similar tests for CDC specific security environment
specifically (that would mean that you'd need to install a custom
security manager before the test executes and remove it once the test is
finished -- this could be done even by the test code itself, when it
starts and when it's about to finish).

Again, looking at the MidpOnCdcSecurityScript and
com.sun.tck.cdc.lib.security.ExecWithMidpSecurityCommand might give you
some ideas on how to do that.

And, while we're at this advanced territory, I'd like to add that there
is also a possibility of commercial support from Sun to help you out
with this. These advanced security sensitive things are tricky and
require quite a lot of effort and time to get them right.

> actually upto now i tried by signing main_agent.jar

In most cases, you don't really need to do any signing in order to run
security tests on CDC. Setting up custom security manager (even
programatically by the tests themselves) might be better.

See for example the following ME Framework class for how it could be done:
com.sun.tck.cdc.lib.security.SecurityTestRunner

Thanks,
--Vladimir

[vladimir_sizikov.vcf]
---------------------------------------------------------------------
To unsubscribe, e-mail: meframework-unsubscribe@cqme.dev.java.net
For additional commands, e-mail: meframework-help@cqme.dev.java.net