[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-dev
Subject: [jira] [Comment Edited] (WSS-688) Signatures created with Merlin start being invalid after changing
From: "Tor Ranfelt (Jira)" <jira () apache ! org>
Date: 2021-09-15 9:26:00
Message-ID: JIRA.13398205.1630323357000.1018447.1631697960045 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/WSS-688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414897#comment-17414897 \
]
Tor Ranfelt edited comment on WSS-688 at 9/15/21, 9:25 AM:
-----------------------------------------------------------
[~coheigea]
Normally errors will be printed without logging-level DEBUG, but I tried adding \
<logger name="org.apache.wss4j.common.crypto" level="DEBUG"/> to my \
log-configuration. No errors presented itself even though I got a handful of "DEBUG \
o.apache.wss4j.common.crypto.Merlin". (EDIT: with nothing relevant)
I can only repeat that invalid signatures are created, and that a certificate that \
works in one run where it was the second unique certificate used will not work in \
another run where it was the third unique certificate used. If an invalid signature \
has been created with certificate X in a run then invalid signatures will keep being \
created with certificate X until the program is restarted (probably due to some \
cache). The first certificate being "tainted" seems to always be either #3 or #4 (as \
in the third and fourth unique certificate used).
By not reusing Merlin, but instead creating a new Merlin every time, the problem is \
circumvented.
was (Author: tor):
[~coheigea]
Normally errors will be printed without logging-level DEBUG, but I tried adding \
<logger name="org.apache.wss4j.common.crypto" level="DEBUG"/> to my \
log-configuration. No errors presented itself even though I got a handful of "DEBUG \
o.apache.wss4j.common.crypto.Merlin".
I can only repeat that invalid signatures are created, and that a certificate that \
works in one run where it was the second unique certificate used will not work in \
another run where it was the third unique certificate used. If an invalid signature \
has been created with certificate X in a run then invalid signatures will keep being \
created with certificate X until the program is restarted (probably due to some \
cache). The first certificate being "tainted" seems to always be either #3 or #4 (as \
in the third and fourth unique certificate used).
By not reusing Merlin, but instead creating a new Merlin every time, the problem is \
circumvented.
> Signatures created with Merlin start being invalid after changing key-store a few \
> times
> ---------------------------------------------------------------------------------------
>
> Key: WSS-688
> URL: https://issues.apache.org/jira/browse/WSS-688
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.3.2
> Environment: Java 11 (version 11.0.11.0.9)
> org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
> org.apache.cxf:cxf-rt-ws-security:3.4.4
> org.apache.cxf:cxf-rt-transports-http:3.4.4
> org.apache.cxf:cxf-rt-features-logging:3.4.4
> javax.xml.ws:jaxws-api:2.3.1
> javax.jws:javax.jws-api:1.1
> com.sun.xml.messaging.saaj:saaj-impl:1.5.3
> Reporter: Tor Ranfelt
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> In our system we can't use a static certificate because it's a service that many \
> users use, and they need to use their own certificate to communicate with a \
> third-party SOAP-service. I used to be able to change Merlin's keystore whenever a \
> new certificate was needed, but after upgrading from Apache CXF 3.3.7 to 3.4.4 (and \
> other third party libraries that CXF depends on) a problem arose: Signatures \
> created by some certificates would be invalid. It was never the certificate that \
> was the problem, but which number of replacing key-store it was put into. So for \
> instance number 1 and 2 would be fine, but 3 would fail, and 4 would be fine. - \
> After which any new key-store with either certificate 1, 2 and 4 would keep \
> working, but 3 would fail every time. Probably due to some cache. I have \
> circumvented the problem by creating a new Merlin instance every time, instead of \
> just a new key-store instance. This works because the problem never manifest with \
> the first key-store.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic