[Red Hat JIRA] (WFWIP-374) credential-store overwrites existing aliases when generating or importing keys

Friday, 19 February 2021

    [
https://issues.redhat.com/browse/WFWIP-374?page=com.atlassian.jira.plugin...
] 

Darran Lofthouse commented on WFWIP-374:
----------------------------------------

I am going to promote this to critical for now, I think we can follow up next week with
the fix but we should add the protection against accidental writes as accidentally
deleting a secret key makes previously encrypted expressions unusable as there is no
alternative to recover them.

This is also something we should make sure we cover in all documentation the importance of
backing up any created secret key securely as on loss of the secret key the only option
will be to regenerate all expressions.

...
 credential-store overwrites existing aliases when generating or
importing keys
 ------------------------------------------------------------------------------

                 Key: WFWIP-374
                 URL: https://issues.redhat.com/browse/WFWIP-374
             Project: WildFly WIP
          Issue Type: Bug
          Components: Security
            Reporter: Ondrej Kotek
            Assignee: Darran Lofthouse
            Priority: Critical

 The Elytron {{credential-store}} resource overwrites existing aliases when generating or
importing keys, this is not consistent with the behaviour of the {{add-alias}} operation.
 {noformat}
 [standalone@localhost:9990 /]
/subsystem=elytron/credential-store=a:generate-secret-key(alias=a1)
 {"outcome" => "success"}
 [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:read-aliases
 {
     "outcome" => "success",
     "result" => ["a1"]
 }
 [standalone@localhost:9990 /]
/subsystem=elytron/credential-store=a:generate-secret-key(alias=a1)
 {"outcome" => "success"}
 -------------------------
 [standalone@localhost:9990 /]
/subsystem=elytron/credential-store=a:export-secret-key(alias=a2)
 {
     "outcome" => "success",
     "result" => {"key" =>
"RUxZAUuJqp+mNwIEDMrUz0iK6dyG"}
 }
 [standalone@localhost:9990 /]
/subsystem=elytron/credential-store=a:import-secret-key(alias=a2,key=RUxZAUuJqp+mNwIEDMrUz0iK6dyG)
 {"outcome" => "success"}
 -------------------------
 [standalone@localhost:9990 /]
/subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2)
 {"outcome" => "success"}
 [standalone@localhost:9990 /]
/subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2)
 {
     "outcome" => "failed",
     "failure-description" => "WFLYELY00913: Credential alias
'a2' of credential type
'org.wildfly.security.credential.PasswordCredential' already exists in the
store",
     "rolled-back" => true
 }
 {noformat} 

--
This message was sent by Atlassian Jira
(v8.13.1#813001)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006