You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2009/05/28 13:24:45 UTC

[jira] Commented: (WSS-195) More detailed exception thrown from CryptoBase.getPrivateKey()

    [ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713945#action_12713945 ] 

Colm O hEigeartaigh commented on WSS-195:
-----------------------------------------


Hi Aleksander,

Thanks for your patch. IMO adding such information to an exception is a security hole, as you're potentially leaking sensitive information about the keystore contents. How about we just log the information and throw the original generic exception message?

Colm.

> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
>                 Key: WSS-195
>                 URL: https://issues.apache.org/jira/browse/WSS-195
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 1.5.8
>            Reporter: Aleksander Adamowski
>            Assignee: Ruchith Udayanga Fernando
>         Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org