Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-28522

[GSS](7.4.z) Santuario SignatureBaseRSA debug signatureAlgorithm.getProvider can disable delayed provider selection

XMLWordPrintable

      Apps requiring a custom security provider may face an issue on 7.4.17+ if they depend on delayed provider selection. Security debug shows the delayed provider selection disabled by org.apache.xml.security.algorithms.implementations.SignatureBaseRSA:

       Signature: Signature.init() not first method called, disabling delayed provider selection 
       java.lang.Exception: Debug call trace 
              at java.security.Signature$Delegate.chooseFirstProvider(Signature.java:1054) 
              at java.security.Signature.getProvider(Signature.java:436) 
              at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.<init>(SignatureBaseRSA.java:64) 
              at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.<init>(SignatureBaseRSA.java:57) 
              at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1.<init>(SignatureBaseRSA.java:207) 
      

      That is a result of this commit in santuario 2.3.4, which we upgraded to for CVE-2024-28752.

      We need to backport this fix or upgrade to santuario 2.3.5+ when available. And we also need to backport this to fix the changed test case on JDK 8.

              rhn-engineering-lgao Lin Gao
              rhn-support-aogburn Aaron Ogburn
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: