search

payara / Payara

Payara Server is an open source middleware platform that supports reliable and secure deployments of Java EE (Jakarta EE) and MicroProfile applications in any environment: on premise, in the cloud or hybrid.
http://www.payara.fish
Other
882 stars 305 forks source link

Please remove expired certificates from distribution/FISH-6107 #5625

Open pzygielo opened 2 years ago

pzygielo commented 2 years ago

Description

Please remove expired certificates from distribution

Expected Outcome

Payara Micro ran just after release should warn about minimal number of expired certificates, and not about certs that expired months earlier.

Current Outcome

15 warnings about expired bundled certificates.

Alternatives

Context

Please consider removing following certificates from below keystores:

for a in cert_2_globalsign_root_ca___r22 
         globalsignrootca-r2 
         cert_91_pscprocert91 
         cert_14_quovadis_root_ca14 
         mykey 
         dstrootcax3 
         cert_46_cybertrust_global_root46 
         soneraclass2ca 
         globalsignr2ca 
         soneraclass2rootca 
         cert_18_sonera_class_2_root_ca18 
         soneraclass1ca 
         thawteserverca 
         quovadisrootca 
         cert_30_dst_root_ca_x330 
         verisigntsaca 
         cybertrustglobalroot 
         thawtepremiumserverca 
         thawtepersonalfreemailca
do
  keytool -delete -alias $a -keystore ./nucleus/security/core/src/main/resources/config/cacerts.jks -storepass changeit
done

for a in cert_30_dst_root_ca_x330
         cert_91_pscprocert91 
         cert_46_cybertrust_global_root46 
         soneraclass1ca 
         thawtepersonalfreemailca 
         globalsignr2ca 
         quovadisrootca 
         mykey 
         cert_2_globalsign_root_ca___r22 
         cert_18_sonera_class_2_root_ca18 
         cert_14_quovadis_root_ca14 
         thawteserverca 
         soneraclass2ca 
         thawtepremiumserverca 
         verisigntsaca
do
  keytool -delete -alias $a -keystore ./nucleus/admin/template/src/main/resources/config/cacerts.jks -storepass changeit
done

Also - in few months following certs will also expire - cert_11_visa_ecommerce_root11, cert_8_geotrust_global_ca8, geotrustglobalca. Perhaps removal of them could also be considered.

I'd open PR with this but the modified binary would be harder to review than script to do it, I guess.

NobleDan commented 2 years ago

This also occurs on a Payara server install.

There are several certificates which are 1024-bit RSA keys, which keytool warns are "are considered a security risk and the key size will be disabled in a future update". It would be sensible to remove those at the same time.

shub8968 commented 2 years ago

Hi @pzygielo,

Payara Micro does not come with certificates. If there is a mention of expired certificates, they are from the JVM itself. For the Payara server, they are removed when released. But when they expire after release, you can have this message. You should remove expired certificates from the Payara server's truststore by yourself if the message bothers you. Thanks

pzygielo commented 2 years ago

Hi @shub8968, thanks for checking.

Payara Micro does not come with certificates.

What that could be then?

$ wget https://repo.maven.apache.org/maven2/fish/payara/extras/payara-micro/5.2022.1/payara-micro-5.2022.1.jar

$ unzip -qd micro payara-micro-5.2022.1.jar

$ find micro -name *.jks
micro/MICRO-INF/domain/keystore.jks
micro/MICRO-INF/domain/cacerts.jks

If there is a mention of expired certificates, they are from the JVM itself.

No, there is no mykey there. But there is one expired in micro's:

$ keytool -list -alias mykey -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit
mykey, 26 Apr 2018, trustedCertEntry, 
Certificate fingerprint (SHA-256): 73:1D:3D:9C:FA:A0:61:48:7A:1D:71:44:5A:42:F6:7D:F0:AF:CA:2A:6C:2D:2F:98:FF:7B:3C:E1:12:B1:F5:68

$ keytool -list -alias mykey -v                -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit | grep Valid
Valid from: Thu Oct 06 17:43:55 CEST 2016 until: Wed Oct 06 17:43:55 CEST 2021

and to check all reported originally

$ for a in cert_2_globalsign_root_ca___r22 \
         globalsignrootca-r2 \
         cert_91_pscprocert91 \
         cert_14_quovadis_root_ca14 \
         mykey \
         dstrootcax3 \
         cert_46_cybertrust_global_root46 \
         soneraclass2ca \
         globalsignr2ca \
         soneraclass2rootca \
         cert_18_sonera_class_2_root_ca18 \
         soneraclass1ca \
         thawteserverca \
         quovadisrootca \
         cert_30_dst_root_ca_x330 \
         verisigntsaca \
         cybertrustglobalroot \
         thawtepremiumserverca \
         thawtepersonalfreemailca
do
  keytool -list -alias $a -v -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit | grep Valid
done
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Tue Dec 28 17:51:00 CET 2010 until: Sat Dec 26 00:59:59 CET 2020
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Valid from: Thu Oct 06 17:43:55 CEST 2016 until: Wed Oct 06 17:43:55 CEST 2021
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Fri Apr 06 09:29:40 CEST 2001 until: Tue Apr 06 09:29:40 CEST 2021
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Fri Apr 06 09:29:40 CEST 2001 until: Tue Apr 06 09:29:40 CEST 2021
Valid from: Fri Apr 06 12:49:13 CEST 2001 until: Tue Apr 06 12:49:13 CEST 2021
Valid from: Thu Aug 01 02:00:00 CEST 1996 until: Sat Jan 02 00:59:59 CET 2021

Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Valid from: Sat Sep 30 23:12:19 CEST 2000 until: Thu Sep 30 16:01:15 CEST 2021
Valid from: Wed Jan 01 01:00:00 CET 1997 until: Fri Jan 01 00:59:59 CET 2021

Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Thu Aug 01 02:00:00 CEST 1996 until: Sat Jan 02 00:59:59 CET 2021

Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Mon Jan 01 01:00:00 CET 1996 until: Sat Jan 02 00:59:59 CET 2021

Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.

For the Payara server, they are removed when released.

Could this be also considered for payara micro? I can't remove them without repackaging jar.

shub8968 commented 2 years ago

Hi @pzygielo,

I have created an internal JIRA FISH-6107 in order to fix this anomalous behavior.

Thanks, Shubham

pzygielo commented 2 years ago

I don't know what is the status of FISH-6107, if this was automated or is handled manually - but payara-micro/5.2022.3 seems to be fine wrt this issue.

Feel free to close this one. Thanks.