[jboss-jira] [JBoss JIRA] (WFLY-13256) Upgrade bouncycastle to 1.65.0
Jim Ma (Jira)
issues at jboss.org
Fri Apr 10 06:02:00 EDT 2020
[ https://issues.redhat.com/browse/WFLY-13256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14030477#comment-14030477 ]
Jim Ma edited comment on WFLY-13256 at 4/10/20 6:01 AM:
--------------------------------------------------------
[~brian.stansberry] [~aabdelsa] I tried fix these failures with adding @FixedMethodOrder for WSTrustTest and it works:
:https://github.com/jimma/wildfly/commit/7fce5a2d10e81e4e7951d1e11eeb4419d1a63607
>From the test execution, if the WSTrustTestCase.testPicketLink() execution is *before *WSTrustTestCase.testBearer() and WSTrustTestCase.testHolderOfKey() , it *fails*. But WSTrustTestCase.test() execution first , it *doesn't* break these two tests. Compare these two tests:
{code:java}
public void test() throws Exception {
Bus bus = BusFactory.newInstance().createBus();
try {
BusFactory.setThreadDefaultBus(bus);
final QName serviceName = new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy", "SecurityService");
final URL wsdlURL = new URL(serviceURL + "SecurityService?wsdl");
Service service = Service.create(wsdlURL, serviceName);
ServiceIface proxy = (ServiceIface) service.getPort(ServiceIface.class);
final QName stsServiceName = new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512/", "SecurityTokenService");
final QName stsPortName = new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512/", "UT_Port");
URL stsURL = new URL(serviceURL.getProtocol(), serviceURL.getHost(), serviceURL.getPort(), "/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService?wsdl");
WSTrustTestUtils.setupWsseAndSTSClient(proxy, bus, stsURL.toString(), stsServiceName, stsPortName);
try {
assertEquals("WS-Trust Hello World!", proxy.sayHello());
} catch (Exception e) {
e.printStackTrace();
throw e;
}
} finally {
bus.shutdown(true);
}
}
public void testPicketLink() throws Exception {
Bus bus = BusFactory.newInstance().createBus();
try {
BusFactory.setThreadDefaultBus(bus);
final QName serviceName = new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy", "SecurityService");
final URL wsdlURL = new URL(serviceURL + "SecurityService?wsdl");
Service service = Service.create(wsdlURL, serviceName);
ServiceIface proxy = (ServiceIface) service.getPort(ServiceIface.class);
final QName stsServiceName = new QName("urn:picketlink:identity-federation:sts", "PicketLinkSTS");
final QName stsPortName = new QName("urn:picketlink:identity-federation:sts", "PicketLinkSTSPort");
final URL stsURL = new URL(serviceURL.getProtocol(), serviceURL.getHost(), serviceURL.getPort(), "/jaxws-samples-wsse-policy-trustPicketLink-sts/PicketLinkSTS?wsdl");
WSTrustTestUtils.setupWsseAndSTSClient(proxy, bus, stsURL.toString(), stsServiceName, stsPortName);
try {
assertEquals("WS-Trust Hello World!", proxy.sayHello());
} catch (Exception e) {
throw e;
}
} finally {
bus.shutdown(true);
}
}
{code}
(find these lines from
https://github.com/wildfly/wildfly/blob/master/testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCase.java#L303,
https://github.com/wildfly/wildfly/blob/master/testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCase.java#L510)
Only STS endpoint is different, and one is CXF's STS service and another one is PicketLink. But the strange thing is PicketLink service is running with http transport instead of https. I still don't get why this will break the following https handshake.
I looked at picketlink code and dependencies. One thing we probably need to check is picketlink 2.5.5.SP12 has a very old xmlsec 1.5.1.Final dependency which doesn't support jdk9+. JDK9 support and adding bouncycastle dependency are after xmlsec 2.1.x. CXF already upgraded to xml sec 2.1.4. Don't know if that's reason CXF STS service works.
was (Author: jim.ma):
[~brian.stansberry] [~aabdelsa] I tried fix these failures with adding @FixedMethodOrder for WSTrustTest and it works:
:https://github.com/jimma/wildfly/commit/7fce5a2d10e81e4e7951d1e11eeb4419d1a63607
>From the test execution, if the WSTrustTestCase.testPicketLink() execution is before WSTrustTestCase.testBearer() and WSTrustTestCase.testHolderOfKey() , it fails. But WSTrustTestCase.test() execution first , it doesn't break these two tests. Compare these two tests:
{code:java}
public void test() throws Exception {
Bus bus = BusFactory.newInstance().createBus();
try {
BusFactory.setThreadDefaultBus(bus);
final QName serviceName = new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy", "SecurityService");
final URL wsdlURL = new URL(serviceURL + "SecurityService?wsdl");
Service service = Service.create(wsdlURL, serviceName);
ServiceIface proxy = (ServiceIface) service.getPort(ServiceIface.class);
final QName stsServiceName = new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512/", "SecurityTokenService");
final QName stsPortName = new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512/", "UT_Port");
URL stsURL = new URL(serviceURL.getProtocol(), serviceURL.getHost(), serviceURL.getPort(), "/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService?wsdl");
WSTrustTestUtils.setupWsseAndSTSClient(proxy, bus, stsURL.toString(), stsServiceName, stsPortName);
try {
assertEquals("WS-Trust Hello World!", proxy.sayHello());
} catch (Exception e) {
e.printStackTrace();
throw e;
}
} finally {
bus.shutdown(true);
}
}
public void testPicketLink() throws Exception {
Bus bus = BusFactory.newInstance().createBus();
try {
BusFactory.setThreadDefaultBus(bus);
final QName serviceName = new QName("http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy", "SecurityService");
final URL wsdlURL = new URL(serviceURL + "SecurityService?wsdl");
Service service = Service.create(wsdlURL, serviceName);
ServiceIface proxy = (ServiceIface) service.getPort(ServiceIface.class);
final QName stsServiceName = new QName("urn:picketlink:identity-federation:sts", "PicketLinkSTS");
final QName stsPortName = new QName("urn:picketlink:identity-federation:sts", "PicketLinkSTSPort");
final URL stsURL = new URL(serviceURL.getProtocol(), serviceURL.getHost(), serviceURL.getPort(), "/jaxws-samples-wsse-policy-trustPicketLink-sts/PicketLinkSTS?wsdl");
WSTrustTestUtils.setupWsseAndSTSClient(proxy, bus, stsURL.toString(), stsServiceName, stsPortName);
try {
assertEquals("WS-Trust Hello World!", proxy.sayHello());
} catch (Exception e) {
throw e;
}
} finally {
bus.shutdown(true);
}
}
{code}
(find these lines from
https://github.com/wildfly/wildfly/blob/master/testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCase.java#L303,
https://github.com/wildfly/wildfly/blob/master/testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCase.java#L510)
Only STS endpoint is different, and one is CXF's STS service and another one is picketLink. But the string thing is picketLink service is running with http transport instead of https. I still don't get why this will break the following https handshake.
I looked at picketlink code and dependencies. One thing we probably need to check is picketlink-federation has a very old xmlsec 1.5.1.Final dependency which doesn't support jdk9+. JDK9 support and adding bouncycastle dependency are after xmlsec 2.1.x. CXF already upgraded to xml sec 2.1.4. Don't know if that's reason CXF STS service works.
> Upgrade bouncycastle to 1.65.0
> ------------------------------
>
> Key: WFLY-13256
> URL: https://issues.redhat.com/browse/WFLY-13256
> Project: WildFly
> Issue Type: Component Upgrade
> Components: Build System, Server
> Reporter: Bartosz Spyrko-Smietanko
> Assignee: Brian Stansberry
> Priority: Blocker
> Labels: downstream_dependency
> Fix For: 20.0.0.Beta1
>
> Attachments: handshake-error.log, handshake-success.log
>
>
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list