Uploaded image for project: 'atlassian-seraph'
  1. atlassian-seraph
  2. SER-107

Trusted Applications: Validate Client's PublicKey and successful SecretKey decryption

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Medium
    • 0.35
    • 0.34
    • None
    • true

    Description

      Currently, there is no way to validate that an application's saved public key is still valid. If not we cannot tell whether the decrypted secret key is valid or not either until it is used to decrypt the certificate. If it fails, we currently get a NumberFormatException.

      We need to do two things:

      1. For the current (version 1) Trusted Application implementation add a simple decrypted SecretKey validation that checks that the key data length is 16 bytes.
      2. For version 2, add a new header that is a constant encrypted with the client's private key. If we can successfully decrypt that, the client's public key is valid.

      It is important that the transition to a version 2 of the protocol is fully backwards compatible with version 1.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-14382 Misleading "Invalid certificate" error message when trusted apps IP address not allowed

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              jed Jed Wesley-Smith (Inactive)
              jed Jed Wesley-Smith (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                16 years, 13 weeks, 4 days ago