[jbossws-issues] [JBoss JIRA] (JBWS-4108) Expired certificates in testsuite

Jan Blizňák (JIRA) issues at jboss.org
Tue Mar 27 12:08:00 EDT 2018 

    [ https://issues.jboss.org/browse/JBWS-4108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13552306#comment-13552306 ] 

Jan Blizňák commented on JBWS-4108:
-----------------------------------

I have tried whether we really have such long safe period by changing system time (or you can use faketime library https://github.com/wolfcw/libfaketime ) and as reported originally, these two stores will contain expired certificates soon too:

{code:java}
./modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/basic/sign-encrypt/META-INF/john.jks
Valid from: Tue May 20 12:48:17 CEST 2008 until: Fri May 18 12:48:17 CEST 2018

./modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/basic/sign-encrypt/WEB-INF/bob2.jks
Valid from: Tue May 20 12:48:17 CEST 2008 until: Fri May 18 12:48:17 CEST 2018
{code}

{code:java}
# execute maven process one year in the future
faketime --exclude-monotonic -f "+1y" mvn -V -B verify -noLogRedirect -Dnodeploy -Pelytron,wildfly1300,testsuite -Dserver.home=/tmp/wildfly/dist/target/wildfly-13.0.0.Alpha1-SNAPSHOT -fn
....
[ERROR] Tests run: 2, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 13.826 s <<< FAILURE! - in org.jboss.test.ws.jaxws.samples.wsse.policy.basic.MultipleClientsSignEncryptTestCase
[ERROR] testJohn(org.jboss.test.ws.jaxws.samples.wsse.policy.basic.MultipleClientsSignEncryptTestCase)  Time elapsed: 0.135 s  <<< ERROR!
java.lang.Exception: Error A security error was encountered when verifying the message - please check that the Bouncy Castle provider is installed.
	at org.jboss.test.ws.jaxws.samples.wsse.policy.basic.MultipleClientsSignEncryptTestCase.testJohn(MultipleClientsSignEncryptTestCase.java:126)
Caused by: javax.xml.ws.soap.SOAPFaultException: A security error was encountered when verifying the message
	at org.jboss.test.ws.jaxws.samples.wsse.policy.basic.MultipleClientsSignEncryptTestCase.testJohn(MultipleClientsSignEncryptTestCase.java:122)
Caused by: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
	at org.jboss.test.ws.jaxws.samples.wsse.policy.basic.MultipleClientsSignEncryptTestCase.testJohn(MultipleClientsSignEncryptTestCase.java:122)
{code}


We can also remove these two stores which are no longer used after https://github.com/jbossws/jbossws-cxf/commit/2b353661cc53a17f0ace5952f89a0ec5b6591d4c#diff-75d06a0eb668baacf2bdc6420a62f23f
modules/testsuite/shared-tests/src/test/resources/jaxws/samples/wssecurity/wsse.keystore
modules/testsuite/shared-tests/src/test/resources/jaxws/samples/wssecurity/wsse.truststore

> Expired certificates in testsuite
> ---------------------------------
>
>                 Key: JBWS-4108
>                 URL: https://issues.jboss.org/browse/JBWS-4108
>             Project: JBoss Web Services
>          Issue Type: Bug
>          Components: jbossws-cxf
>            Reporter: Jan Blizňák
>            Assignee: Alessio Soldano
>             Fix For: jbossws-cxf-5.2.1.Final
>
>
> Starting with Tuesday 20th of March 2018 we are getting test failures in few tests [https://jbossws-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/jenkins/job/CXF-CORE-AS-12.0.0/16/testReport/], rootcause of this is using pregenerated jks stores
> {code:java}
> Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon Mar 19 19:59:59 EDT 2018
> 	at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> 	at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> 	at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> 	at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:758)
> 	... 64 more
> {code}
> Some already expired stores:
> ./modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/oasis/META-INF/alice.jks
> Valid from: Sat Mar 19 01:00:00 CET 2005 until: Tue Mar 20 00:59:59 CET 2018
> ./modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/oasis/WEB-INF/bob.jks
> Valid from: Sat Mar 19 01:00:00 CET 2005 until: Tue Mar 20 00:59:59 CET 2018
> ./modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/secconv/META-INF/alice.jks
> Valid from: Sat Mar 19 01:00:00 CET 2005 until: Tue Mar 20 00:59:59 CET 2018
> and soon to be invalid too:
> ./modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/basic/sign-encrypt/META-INF/john.jks
> Valid from: Tue May 20 12:48:17 CEST 2008 until: Fri May 18 12:48:17 CEST 2018
> ./modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/basic/sign-encrypt/WEB-INF/bob2.jks
> Valid from: Tue May 20 12:48:17 CEST 2008 until: Fri May 18 12:48:17 CEST 2018
> ... etc.
> We should probably switch to generating all the *-stores in pre test phase like done in wildfly https://github.com/wildfly/wildfly/blob/master/testsuite/integration/basic/pom.xml#L76 to be safe all the time



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jbossws-issues mailing list