[jboss-jira] [JBoss JIRA] (WFLY-13256) Upgrade bouncycastle to 1.65.0

Jim Ma (Jira) issues at jboss.org
Fri Apr 10 06:00:01 EDT 2020 

    [ https://issues.redhat.com/browse/WFLY-13256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14030477#comment-14030477 ] 

Jim Ma commented on WFLY-13256:
-------------------------------

[~brian.stansberry] [~aabdelsa] I tried fix these failures with adding @FixedMethodOrder for WSTrustTest and it works:
:https://github.com/jimma/wildfly/commit/7fce5a2d10e81e4e7951d1e11eeb4419d1a63607

>From the test execution, if the WSTrustTestCase.testPicketLink() execution is before WSTrustTestCase.testBearer() and WSTrustTestCase.testHolderOfKey() , it fails. But  WSTrustTestCase.test() execution first , it doesn't break these two tests. Compare these two tests:

{code:java}
    public void test() throws Exception {
        Bus bus = BusFactory.newInstance().createBus();
        try {
            BusFactory.setThreadDefaultBus(bus);

            final QName serviceName = new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy", "SecurityService");
            final URL wsdlURL = new URL(serviceURL + "SecurityService?wsdl");
            Service service = Service.create(wsdlURL, serviceName);
            ServiceIface proxy = (ServiceIface) service.getPort(ServiceIface.class);

            final QName stsServiceName = new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512/", "SecurityTokenService");
            final QName stsPortName = new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512/", "UT_Port");
            URL stsURL = new URL(serviceURL.getProtocol(), serviceURL.getHost(), serviceURL.getPort(), "/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService?wsdl");
            WSTrustTestUtils.setupWsseAndSTSClient(proxy, bus, stsURL.toString(), stsServiceName, stsPortName);

            try {
                assertEquals("WS-Trust Hello World!", proxy.sayHello());
            } catch (Exception e) {
                e.printStackTrace();
                throw e;
            }
        } finally {
            bus.shutdown(true);
        }
    }

    public void testPicketLink() throws Exception {
        Bus bus = BusFactory.newInstance().createBus();
        try {
            BusFactory.setThreadDefaultBus(bus);

            final QName serviceName = new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy", "SecurityService");
            final URL wsdlURL = new URL(serviceURL + "SecurityService?wsdl");
            Service service = Service.create(wsdlURL, serviceName);
            ServiceIface proxy = (ServiceIface) service.getPort(ServiceIface.class);

            final QName stsServiceName = new QName("urn:picketlink:identity-federation:sts", "PicketLinkSTS");
            final QName stsPortName = new QName("urn:picketlink:identity-federation:sts", "PicketLinkSTSPort");
            final URL stsURL = new URL(serviceURL.getProtocol(), serviceURL.getHost(), serviceURL.getPort(), "/jaxws-samples-wsse-policy-trustPicketLink-sts/PicketLinkSTS?wsdl");
            WSTrustTestUtils.setupWsseAndSTSClient(proxy, bus, stsURL.toString(), stsServiceName, stsPortName);

            try {
                assertEquals("WS-Trust Hello World!", proxy.sayHello());
            } catch (Exception e) {
                throw e;
            }
        } finally {
            bus.shutdown(true);
        }
    }
{code}
(find these lines from
https://github.com/wildfly/wildfly/blob/master/testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCase.java#L303,
https://github.com/wildfly/wildfly/blob/master/testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCase.java#L510)

Only  STS endpoint  is different, and one is CXF's STS service and another one is picketLink.  But the string thing is picketLink service is running with http transport instead of https.  I still don't get why this will break the following https handshake.

 I looked at picketlink code and dependencies. One thing we probably need to check is picketlink-federation has a very old xmlsec 1.5.1.Final dependency which doesn't support jdk9+.  JDK9 support and  adding bouncycastle dependency  are after  xmlsec 2.1.x.   CXF already upgraded to xml sec 2.1.4.  Don't know if that's reason CXF STS service works. 



> Upgrade bouncycastle to 1.65.0
> ------------------------------
>
>                 Key: WFLY-13256
>                 URL: https://issues.redhat.com/browse/WFLY-13256
>             Project: WildFly
>          Issue Type: Component Upgrade
>          Components: Build System, Server
>            Reporter: Bartosz Spyrko-Smietanko
>            Assignee: Brian Stansberry
>            Priority: Blocker
>              Labels: downstream_dependency
>             Fix For: 20.0.0.Beta1
>
>         Attachments: handshake-error.log, handshake-success.log
>
>




--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list