August 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-23) Add support for RFC5803

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-23?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse reassigned ELY-23: ----------------------------------- Assignee: (was: Darran Lofthouse) > Add support for RFC5803 > ----------------------- > > Key: ELY-23 > URL: https://issues.jboss.org/browse/ELY-23 > Project: WildFly Elytron > Issue Type: Sub-task > Reporter: Darran Lofthouse > Fix For: 1.2.0.Beta1 > > > RFC5803 adds support for storing SCRAM secrets in the 'authPassword' attribute introduced by RFC3112 -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-124) Java 8+ supports unbound SASL servers; GSSAPI and DIGEST-MD5 both use this value

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-124?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse reassigned ELY-124: ------------------------------------ Assignee: (was: Darran Lofthouse) > Java 8+ supports unbound SASL servers; GSSAPI and DIGEST-MD5 both use this value > -------------------------------------------------------------------------------- > > Key: ELY-124 > URL: https://issues.jboss.org/browse/ELY-124 > Project: WildFly Elytron > Issue Type: Task > Components: SASL > Reporter: David Lloyd > Fix For: 1.2.0.Beta1 > > > Since Java 8, the SaslServerFactory interface has been changed so that the serverName may be null. If null, the server name is considered "unbound" and the client can select what server name it wants to use. > The release notes say: > {quote} > SASL service for multiple host names: When creating a SASL server, the server name can be set to null to denote an unbound server, which means a client can request for the service using any server name. After a context is established, the server can retrieve the name as a negotiated property with the key name SASL.BOUND_SERVER_NAME. See RFE 7110803. > {quote} > The updated JavaDoc says: > {quote} > serverName - The fully qualified host name of the server to authenticate to, or null if the server is not bound to any specific host name. If the mechanism does not allow an unbound server, a SaslException will be thrown. > {quote} > The RFE link is: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7110803 > The two SASL mechanisms in Elytron that would be impacted by this are DIGEST-MD5 and GSSAPI. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-618) Dead code in DEREncoder

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-618?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse reassigned ELY-618: ------------------------------------ Assignee: (was: Darran Lofthouse) > Dead code in DEREncoder > ----------------------- > > Key: ELY-618 > URL: https://issues.jboss.org/browse/ELY-618 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Labels: static_analysis > > There is an unintentional dead code in writeTag method of org.wildfly.security.asn1.DEREncoder. Variable {{tagNumber}} can be assigned to 31 as its maximal value from {{int tagNumber = tag & TAG_NUMBER_MASK;}} (because {{TAG_NUMBER_MASK = 0x1f}}) on line 576 [1] which means that condition {{if (tagNumber < 128)}} on line 582 is always true. It causes that else branch is never executed. > [1] https://github.com/wildfly-security/wildfly-elytron/blob/4453ea40a7a617b6... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-1242) External CS, create attribute is ignored

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1242?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse reassigned ELY-1242: ------------------------------------- Assignee: (was: Darran Lofthouse) > External CS, create attribute is ignored > ---------------------------------------- > > Key: ELY-1242 > URL: https://issues.jboss.org/browse/ELY-1242 > Project: WildFly Elytron > Issue Type: Bug > Reporter: Martin Choma > Priority: Blocker > > {{location=secretdatafile}} have to exists, otherwise there occures NoSuchFileException > {code} > 09:13:34,368 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.credential-store.fips-credential-store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start the service. > at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:123) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store > at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:945) > at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:821) > at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:213) > at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159) > at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:117) > ... 5 more > Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/target/fips-cs-workdir/secure-data-file > at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86) > at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) > at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) > at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214) > at java.nio.file.Files.newByteChannel(Files.java:361) > at java.nio.file.Files.newByteChannel(Files.java:407) > at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384) > at java.nio.file.Files.newInputStream(Files.java:152) > at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:936) > ... 9 more > 09:13:34,372 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 2) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "elytron"), > ("credential-store" => "fips-credential-store") > ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service. > Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store > Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/target/fips-cs-workdir/secure-data-file"}} > {code} > There is missing branch in code when {{create = true}} and {{dataLocation != null}} > {code} > if (useExternalStorage) { > dataLocation = externalPath; > setupExternalStorage(type, location); > } else { > dataLocation = location; > keyStore = getKeyStoreInstance(type); > } > if (create) { > if (dataLocation == null) { > try { > keyStore.load(null, null); > } catch (CertificateException | IOException | NoSuchAlgorithmException e) { > throw log.cannotInitializeCredentialStore(e); > } > } > } > {code} > This issue pops up in ER1, because file based external CS feature was delivered in ER1 (JBEAP-10803) -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-827) Anonymous principal is not mapable to an identity

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-827?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse reassigned ELY-827: ------------------------------------ Assignee: (was: David Lloyd) > Anonymous principal is not mapable to an identity > ------------------------------------------------- > > Key: ELY-827 > URL: https://issues.jboss.org/browse/ELY-827 > Project: WildFly Elytron > Issue Type: Bug > Components: API / SPI > Reporter: David Lloyd > -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-1067) Add support to use default GSSCredential CredentalSource with AuthenticationConfiguration from XML

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1067?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse reassigned ELY-1067: ------------------------------------- Assignee: (was: Darran Lofthouse) > Add support to use default GSSCredential CredentalSource with AuthenticationConfiguration from XML > -------------------------------------------------------------------------------------------------- > > Key: ELY-1067 > URL: https://issues.jboss.org/browse/ELY-1067 > Project: WildFly Elytron > Issue Type: Enhancement > Components: Authentication Client > Reporter: Darran Lofthouse > Fix For: 1.2.0.Beta1 > > -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-1300) Pem.parsePemX509Certificate() cannot parse files with non-PEM content

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1300?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse reassigned ELY-1300: ------------------------------------- Assignee: (was: Darran Lofthouse) > Pem.parsePemX509Certificate() cannot parse files with non-PEM content > --------------------------------------------------------------------- > > Key: ELY-1300 > URL: https://issues.jboss.org/browse/ELY-1300 > Project: WildFly Elytron > Issue Type: Bug > Reporter: Peter Palaga > > Add a test like this to `PemTest`: > {code} > @Test > public void testParsePemX509Certificate01() throws Exception { > URL url = PemTest.class.getResource("/ca/certs/01.pem"); > byte[] bytes = Files.readAllBytes(Paths.get(url.toURI())); > assertNotNull(Pem.parsePemX509Certificate(CodePointIterator.ofUtf8Bytes(bytes))); > } > {code} > Note that {{ca/certs/01.pem}} should start with non-PEM content > {code} > Certificate: > Data: > ... > {code} > followed by the PEM content: > {code} > -----BEGIN CERTIFICATE----- > {code} > Run the test > {code} > mvn clean test -Dtest=PemTest#testParsePemX509Certificate01 > {code} > Expected: Not quite sure if the parser should accept this. In any case, the following code works on Oracle/OpenJDK (while it does not on IBM JDK): > {code} > CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); > InputStream is = X509EvidenceVerificationSuiteChild.class.getResourceAsStream("/ca/certs/01.pem"); > Assert.assertNotNull((X509Certificate) certificateFactory.generateCertificate(is)); > {code} > Actual: > {code} > testParsePemX509Certificate01(org.wildfly.security.util.PemTest) Time elapsed: 0.116 sec <<< ERROR! > java.lang.IllegalArgumentException: ELY03010: Malformed PEM content at offset 1 > at org.wildfly.security.pem.Pem.parsePemContent(Pem.java:79) > at org.wildfly.security.pem.Pem.parsePemX509Certificate(Pem.java:272) > at org.wildfly.security.util.PemTest.testParsePemX509Certificate01(PemTest.java:57) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367) > at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274) > at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238) > at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161) > at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290) > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242) > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121) > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-787) SASL mechanisms are not IANA registered and specifications are not provided

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-787?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse reassigned ELY-787: ------------------------------------ Assignee: (was: Darran Lofthouse) > SASL mechanisms are not IANA registered and specifications are not provided > --------------------------------------------------------------------------- > > Key: ELY-787 > URL: https://issues.jboss.org/browse/ELY-787 > Project: WildFly Elytron > Issue Type: Bug > Reporter: Josef Cacek > Priority: Critical > Labels: sasl > > Elytron comes with set of SASL mechanisms (as requested by EAP7-530), but they don't fit SASL requirements. > New mechanisms has to be registered by IANA as requested by [SASL RFC 4422 section 5|https://tools.ietf.org/html/rfc4422#section-5] and Java [SaslClientFactory|http://docs.oracle.com/javase/8/docs/api/javax/security...] and [SaslServerFactory|http://docs.oracle.com/javase/8/docs/api/javax/security...] contracts. > Current list of mechanisms provided by Elytron, which are not IANA registered: > * DIGEST-SHA > * DIGEST-SHA-256 > * DIGEST-SHA-512 > * JBOSS-LOCAL-USER > *Suggestion for improvement:* > Provide specifications for the new mechanisms and register the names by IANA (see [section 7 in RFC-4422|https://tools.ietf.org/html/rfc4422#section-7]). -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-297) Account Lockout

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-297?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse reassigned ELY-297: ------------------------------------ Assignee: (was: Darran Lofthouse) > Account Lockout > --------------- > > Key: ELY-297 > URL: https://issues.jboss.org/browse/ELY-297 > Project: WildFly Elytron > Issue Type: Task > Components: HTTP, Realms, SASL > Reporter: Darran Lofthouse > Labels: Common_Authentication, Realm_Management, management_security, > > One issue to consider is that we are using realms to integrate with existing user stores so may not be able to update the remote store: - > - Consider an option to update the remote store if possible. > - If not cache a backlisted user until an admin unlocks that account > Before being implemented this feature will require further discussion, in additional to locking mechanisms for unlocking should also be considered and also the potentional for denail of service type attacks based on locking out the administrators. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

[JBoss JIRA] (ELY-1292) XmlConfigurationTest.testCertificateInCredentials hangs on IBM JDK

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1292?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse reassigned ELY-1292: ------------------------------------- Assignee: (was: Darran Lofthouse) > XmlConfigurationTest.testCertificateInCredentials hangs on IBM JDK > ------------------------------------------------------------------ > > Key: ELY-1292 > URL: https://issues.jboss.org/browse/ELY-1292 > Project: WildFly Elytron > Issue Type: Bug > Reporter: Peter Palaga > > {{XmlConfigurationTest.testCertificateInCredentials}} does not terminate on IBM JDK. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 8 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira August 2017