Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-25960

(8.0.z) Filesystem realm's update-key-pair operation does not work as expected

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • 8.0.0.GA-CR1
    • Security
    • None
    • False
    • None
    • False
    • Known Issue
    • Hide

      /subsystem=elytron/key-store=keystore:add(path=keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret})
      /subsystem=elytron/key-store=keystore:generate-key-pair(alias=user,algorithm=RSA,key-size=1024,validity=365,distinguished-name="CN=localhost")
      /subsystem=elytron/key-store=keystore:store()

      /subsystem=elytron/filesystem-realm=integrityfsRealm:add(path=integrityfsRealm,relative-to=jboss.server.config.dir, key-store=keystore, key-store-alias=user)
      /subsystem=elytron/filesystem-realm=integrityfsRealm:add-identity(identity=quickstartUser)
      /subsystem=elytron/filesystem-realm=integrityfsRealm:set-password(digest={algorithm=digest-md5, realm=fsRealm, password=password123!}, identity=quickstartUser)
      /subsystem=elytron/filesystem-realm=integrityfsRealm:add-identity-attribute(identity=quickstartUser, name=Roles, value=["Admin", "Guest"])

      /subsystem=elytron/filesystem-realm=integrityfsRealm:verify-integrity()

      /subsystem=elytron/key-store=keystore2:add(path=keystore2, relative-to=jboss.server.config.dir,  credential-reference={clear-text=secret})
      /subsystem=elytron/key-store=keystore2:generate-key-pair(alias=user2,algorithm=RSA,key-size=1024,validity=365,distinguished-name="CN=localhost")
      /subsystem=elytron/key-store=keystore2:store()
      /subsystem=elytron/filesystem-realm=integrityfsRealm:write-attribute(name=key-store, value=keystore2)
      /subsystem=elytron/filesystem-realm=integrityfsRealm:write-attribute(name=key-store-alias, value=user2)
      /subsystem=elytron/filesystem-realm=integrityfsRealm:update-key-pair()
      reload

      /subsystem=elytron/filesystem-realm=integrityfsRealm:verify-integrity()

      The last command fails with:

      {     "outcome" => "failed",     "failure-description" => "WFLYELY01217: Realm verification failed, invalid signatures for the identities: [quickstartUser]",     "rolled-back" => true }
      Show
      /subsystem=elytron/key-store=keystore:add(path=keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}) /subsystem=elytron/key-store=keystore:generate-key-pair(alias=user,algorithm=RSA,key-size=1024,validity=365,distinguished-name="CN=localhost") /subsystem=elytron/key-store=keystore:store() /subsystem=elytron/filesystem-realm=integrityfsRealm:add(path=integrityfsRealm,relative-to=jboss.server.config.dir, key-store=keystore, key-store-alias=user) /subsystem=elytron/filesystem-realm=integrityfsRealm:add-identity(identity=quickstartUser) /subsystem=elytron/filesystem-realm=integrityfsRealm:set-password(digest={algorithm=digest-md5, realm=fsRealm, password=password123!}, identity=quickstartUser) /subsystem=elytron/filesystem-realm=integrityfsRealm:add-identity-attribute(identity=quickstartUser, name=Roles, value= ["Admin", "Guest"] ) /subsystem=elytron/filesystem-realm=integrityfsRealm:verify-integrity() /subsystem=elytron/key-store=keystore2:add(path=keystore2, relative-to=jboss.server.config.dir,  credential-reference={clear-text=secret}) /subsystem=elytron/key-store=keystore2:generate-key-pair(alias=user2,algorithm=RSA,key-size=1024,validity=365,distinguished-name="CN=localhost") /subsystem=elytron/key-store=keystore2:store() /subsystem=elytron/filesystem-realm=integrityfsRealm:write-attribute(name=key-store, value=keystore2) /subsystem=elytron/filesystem-realm=integrityfsRealm:write-attribute(name=key-store-alias, value=user2) /subsystem=elytron/filesystem-realm=integrityfsRealm:update-key-pair() reload /subsystem=elytron/filesystem-realm=integrityfsRealm:verify-integrity() The last command fails with: {     "outcome" => "failed",     "failure-description" => "WFLYELY01217: Realm verification failed, invalid signatures for the identities: [quickstartUser]",     "rolled-back" => true }

      The verification of integrity fails every time after the update-key-pair() operation.
      Additionally, if we manipulate an identity and call the update-key-pair operation, it passes successfully. The expected behaviour is for the operation to fail because the integrity has been compromised.

              lvydra Lukas Vydra
              dvilkola@redhat.com Diana Krepinska (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: