Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-5447

Avoid false negatives for database protection over BLOB columns

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: EJBCA 6.6.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Issue discovered during:
      Another issue

      Description

      There are still several Blob-type columns in use:

      CertificateProfileData.data
      HardTokenData.data
      HardTokenIssuerData.data
      AdminPreferencesData.data
      EndEntityProfileData.data
      GlobalConfigurationData.data (already fixed in ECA-5440)

      When creating the protect String we rely on the deserialized object to have the same string representation as it had when the object was stored.
      This makes it fragile if ordering or .toString of a referenced object changes with Java version or JVM instance.

      Tasks:

      • Extract get/setObjectUnsafe from GlobalConfigurationData to helper class
      • Apply for all the objects listed above and modify the protection string of each object (updating the version as well)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              johan Johan Eklund
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: