-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade CXF to latest version to get rid of CVE-2022-46364 and #197
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not understand this change - does it relate to the topic of PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The API of WSS4J have changed. The method
setAsymmetricSignatureappears to have been moved from the top level classAlgorithmSuiteto the nested classAlgorithmSuiteType.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, good! But could it be that AsymmetricSignature is not set to "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" for
BASIC_128_GCM_SHA_256
but only for
BASIC_128_GCM_SHA_256_MGF_SHA_256?
In previous version, it was defined on a OxalisAlgorithmSuite level, in a new version - on AlgorithmSuiteType, but in
Oxalis-AS4/src/main/java/network/oxalis/as4/util/OxalisAlgorithmSuiteLoader.java
Line 76 in 824db31
May be we miss similar line for BASIC_128_GCM_SHA_256?
If we make mistake here, it will be quite difficult to find it out...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. The asymmetric signature is now only set for the second custom
AlgorithmSuiteType, BASIC_128_GCM_SHA_256_MGF_SHA_256. It might well be that it is needed for the first one, too.I put it on the second suite type, since it already had a couple of customizations, guessing that the first one might not need customisation. But I don't know these WSS4J APIs, I just did the bare minimum to get it to compile against newer CXF and WSS4J. And it appears to be working in our test environment, but that might be a false positive, if some default asymmetric signature with weaker security is used instead...
Do you think its safer to assign the asymmetric signature on both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the WSS4J code, the algorithm suite gets a default asymmetric signature, when we don't specify it. So it's probably safest to set it on both suites. I have added that in the last commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! Yes, this looks safer - better to keep the same logic as much as possible during upgrades.
I think it is ok now - although I would write it like before, without extracting to a variable algorithmSuiteType for only one of suites:
In this case, the commit diff would clearly highlight, that you just added .setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); to both suite types because it is removed from Suite.
But it is just a question of styling :)
Anyway, let's see @aaron-kumar review too :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, seems like @aaron-kumar did a superset of these changes in the latest release, and also added code to adjust the signature algorithm.