Websocket based (NO APPLET) Smart Card Digital Signature Framework

License: GNU Affero General Public License v3.0

Java 100.00%

websocket smartcard digital-signature signature smart-card no-applet pades cades pkcs11 jna

websocket-smart-card-signer's Introduction

Websocket-Smart-Card-Signer

Websocket based (NO APPLET) Smart Card Digital Signature Application

Websocket-Smart-Card-Signer give the possibility to sign a document with a Smartcard, directly from the browser. The application work as a Websocket server and is provided with a javascript client library that manage the communications. The application support the signature of online and local PDF documents in PAdES standard as well as the signature of any other kind of file in P7M using the CAdES standard. This application depend on the projects Java Native Interface for PKCS#11 and IAIK PKCS#11 Wrapper. More details on the features in the following.

Features

Websocket based. Did not use the deprecated APPLET technology
PKCS#11 Access directly through JNA or using IAIK
Multi-OS and Multi-Smartcard Support
- The following PKCS11 libraries are automatically identified in the system: "incryptoki2.dll", "bit4ipki.dll", "bit4opki.dll", "bit4xpki.dll", "OCSCryptoki.dll", "asepkcs.dll", "SI_PKCS11.dll", "cmP11.dll", "cmP11_M4.dll", "IpmPki32.dll", "IPMpkiLC.dll", "IpmPkiLU.dll", "bit4cpki.dll", "bit4p11.dll", "asepkcs.dll", "PKCS11.dll", "eTPKCS11.dll", "SSC_PKCS11.dll", "inp11lib.dll", "opensc-pkcs11.dll", "libbit4opki.so", "libbit4spki.so", "libbit4p11.so", "libbit4ipki.so", "opensc-pkcs11.so", "libeTPkcs11.so", "libopensc.dylib", "libbit4xpki.dylib", "libbit4ipki.dylib", "libbit4opki.dylib", "libASEP11.dylib", "libeTPkcs11.dylib"
- Possibility to define custom PKCS11 libraries in case your Smartcard's PKCS11 is not listed above
Access to all the Smartcard available certificates
Recognition of multiple connected Smartcard
Multi-Document signature
P7M Signature in CAdES Standard format
PDF Signature in PAdES Standard format
Possibility configure the signature visibility and position in the PDF
Avoid previous signature nesting
Possibility to allow the signature only for specific user IDs
Possibility to use a NTP service to automatically set the signature timestamp
Validation of the generated signature
Automatic diagnosis of Smartcard problems
Possibility to be used as standalone document signature application using the try icon menu functions

Live DEMO

Have a look at the DEMO.

NOTE: The Jar is self-signed so in order to use the demo in JNLP mode you must add a security exception in the java control panel for the site "https://damianofalcioni.github.io/"

Support Me <3

websocket-smart-card-signer's People

Contributors

Stargazers

Watchers

websocket-smart-card-signer's Issues

CVE-2016-1000344 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000344 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Publish Date: 2018-06-04

URL: CVE-2016-1000344

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344

Release Date: 2018-06-04

Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Mend Configuration File - .whitesource

There is an error with this repository's Mend configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.

Errors:

Failed to parse configuration file: damianofalcioni/Websocket-Smart-Card-Signer/.whitesource: Expected a com.google.gson.JsonObject but was com.google.gson.JsonPrimitive

Create test environment

Hi i installed your solution.
Works well .

I try to compile your java using netbean ?
Which version or which IDe i have to use compile JNA and Iaik

http://www.java2s.com/Code/JarDownload/iaik/iaik.jar.zip

CVE-2016-1000341 (Medium) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000341 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Publish Date: 2018-06-04

URL: CVE-2016-1000341

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341

Release Date: 2018-06-04

Step up your Open Source Security Game with WhiteSource here

Signing Document in a browser

In the Jnlp_test page,it send only the hello world word right?
Can we sign pdf document in the browser and upload somewhere in another folder?
and how do you call the function to select file and sign in the webpage?
Thank You

CVE-2020-26939 (Medium) detected in bcprov-jdk15on-1.55.jar

CVE-2020-26939 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Publish Date: 2020-11-02

URL: CVE-2020-26939

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/bcgit/bc-java/wiki/CVE-2020-26939

Release Date: 2020-10-11

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.61,org.bouncycastle:bcprov-ext-debug-jdk15on:1.61,org.bouncycastle:bcprov-debug-jdk15on:1.61,org.bouncycastle:bcprov-ext-jdk15on:1.61,org.bouncycastle:bcprov-jdk15on:1.61

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000340 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000340 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.

Publish Date: 2018-06-04

URL: CVE-2016-1000340

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000340

Release Date: 2018-06-04

Step up your Open Source Security Game with WhiteSource here

Error while signing with the custom token WatchdataProxkey

Connection to C:\windows\System32\SignatureP11.dll
log4j:WARN No appenders could be found for logger (org.pkcs11.jacknji11.C).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
java.lang.Exception: Can not download CRL from: https://www.ncodesolutions.com/repository/ncodeca14.crl
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target...
Connection to C:\windows\System32\SignatureP11.dll
java.lang.Exception: Impossible to perform a valid signature with the following certificate and libraries
Certificate: 'CN=xxx, SERIALNUMBER=xxx, ST=xxx, OID.2.5.4.17=xxx, OU="xxx,CID - xxx", OID.2.5.4.20=xxx, O=xxx, C=xxx'

Cannot download CRL path

Sir can you please check my edited files from the link below...I cannot perform any signature :(

https://drive.google.com/open?id=11933odcacOJtmuXilMyCuBpVNFYw6F27

App hangs with new version of bit4ipki.dll

Hi the client hangs when using a new version of bit4ipki.dll.

The logs show this:

Connection to C:\WINDOWS\System32\bit4ipki.dll.

Can't get the certficate list from card.

Any help?

CVE-2016-1000352 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000352 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Publish Date: 2018-06-04

URL: CVE-2016-1000352

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352

Release Date: 2018-06-04

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000338 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000338 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-01

URL: CVE-2016-1000338

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338

Release Date: 2018-06-01

Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.55,org.bouncycastle:bcprov-debug-jdk14:1.55,org.bouncycastle:bcprov-ext-jdk14:1.55,org.bouncycastle:bcprov-ext-jdk15on:1.55,org.bouncycastle:bcprov-jdk14:1.55,org.bouncycastle:bcprov-jdk15on:1.55,org.bouncycastle:bcprov-ext-debug-jdk15on:1.55

Step up your Open Source Security Game with WhiteSource here

Invalid Signature (internal cryptographic library 0x2726) when viewed the sign pdf

This warning give me while signing pdf documents
ATTENTION: The pdf has been modified after at least a signature!
Please help me Sir

non compila

Ciao Damiano, maven install non và, a causa di questa dipendenza https://mvnrepository.com/artifact/iaik.pkcs/pkcs11-wrapper che punta ad un repository http://nexus.emergya.es/nexus/content/repositories/public/ offline, come possiamo risolvere?

Grazie

CVE-2017-9096 (High) detected in itextpdf-5.5.10.jar

CVE-2017-9096 - High Severity Vulnerability

Vulnerable Library - itextpdf-5.5.10.jar

A Free Java-PDF library

Library home page: http://itextpdf.com

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/itextpdf-5.5.10.jar

Dependency Hierarchy:

❌ itextpdf-5.5.10.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

Publish Date: 2017-11-08

URL: CVE-2017-9096

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9096

Release Date: 2017-11-08

Fix Resolution: 5.5.12,7.0.3

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000343 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000343 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

Publish Date: 2018-06-04

URL: CVE-2016-1000343

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000343

Release Date: 2018-06-04

Fix Resolution: org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56

Step up your Open Source Security Game with WhiteSource here

Cannot Sign Using WatchdataProxy Token "SignatureP11.dll"

The following error occured
java.lang.Exception: Can not download the CRL from: https://www.ncodesolutions.com/repository/ncodeca14.crl
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Have tried diable the firewall still the same and It can access the url directly from the browser..Please Help :)

images

CVE-2016-1000345 (Medium) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000345 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.

Publish Date: 2018-06-04

URL: CVE-2016-1000345

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345

Release Date: 2018-06-04

Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56

Step up your Open Source Security Game with WhiteSource here

Detection issue with safenet ikey 2032

Application has issues in detecting safenet ikey 2032 in windows10 64 bit pc.

CVE-2016-1000342 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000342 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-04

URL: CVE-2016-1000342

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

CVE-2019-17359 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2019-17359 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64

Step up your Open Source Security Game with WhiteSource here

Add all singed document every accces from websocket

Hi from websocket call i only send one base64 but After each call websocket it returns all files send add by add before.....

I checked in WebSocketService.java when i call from client i send only one base64 data ...
'''
for(int i=0; i<dataToSignArray.size();i++){
SignUI.showErrorMessage("New ONLY ONE comes from web socket");
'''

Also in SingFactory.jav loop above pass one value correctly
'''
public static List performSign(List dataToSignList, String[] dllList) throws Exception{
SignUI.showErrorMessage("New ONLY ONE comes to performSing ");
''

But after performSing in this loop in WebSocketService.java add this file to all files singed before.
''
for(Data dataSigned : dataSignedList){
SignUI.showErrorMessage("ADD FILE ALL FILES SINGED BEFORE");
''
Best regards.

Also for Maven method thanks a lot . Buy the way each time before compile i do Clear Project and Build again works correctly for me. When i build before Clean it miss JDK or JRE gives an error ...

CVE-2016-1000339 (Medium) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000339 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.

Publish Date: 2018-06-04

URL: CVE-2016-1000339

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339

Release Date: 2018-06-04

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix WhiteSource Configuration File - .whitesource - autoclosed

There is an error with this repository's WhiteSource configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.

Errors:

Failed to parse configuration file: damianofalcioni/Websocket-Smart-Card-Signer/.whitesource: Expected BEGIN_OBJECT but was STRING at line 7 column 1 path $

CVE-2018-1000180 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2018-1000180 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180

Release Date: 2018-06-05

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.60,org.bouncycastle:bcprov-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk15on:1.60

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000346 (Low) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000346 - Low Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.

Publish Date: 2018-06-04

URL: CVE-2016-1000346

CVSS 3 Score Details (3.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346

Release Date: 2018-06-04

Step up your Open Source Security Game with WhiteSource here

CKR Exception while connecting smart cards

While connecting smart card, the application throws CKR Exception. The Error was at line number 55 of SmartCardAccessJnaImpl.java

long[] mechLst = CE.GetMechanismList(slot);

CKR exception from jacknji11 library.

How to use it for signing pdf in React application

I want to sign a pdf in the React application. Kindly help with the sample code

This is a test issue from WhiteSource, it will be closed shortly

CVE-2018-1000613 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2018-1000613 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: Websocket-Smart-Card-Signer/pom.xml

Path to vulnerable library: 20210223130700_TYMBKW/downloadResource_MYVJAY/20210223130710/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 52e62821fe1c04f561516a02e367c9391f940eef

Found in base branch: master

Vulnerability Details

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Publish Date: 2018-07-09

URL: CVE-2018-1000613

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613

Release Date: 2018-07-09

Fix Resolution: org.bouncycastle:bcprov-ext-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk15on:1.60,org.bouncycastle:bcprov-jdk14:1.60,org.bouncycastle:bcprov-jdk15on:1.60

Step up your Open Source Security Game with WhiteSource here

damianofalcioni / websocket-smart-card-signer Goto Github PK

websocket-smart-card-signer's Introduction

Websocket-Smart-Card-Signer

Websocket based (NO APPLET) Smart Card Digital Signature Application

Features

Live DEMO

Support Me <3

websocket-smart-card-signer's People

Contributors

Stargazers

Watchers

Forkers

websocket-smart-card-signer's Issues

CVE-2016-1000344 - High Severity Vulnerability

CVE-2016-1000341 - Medium Severity Vulnerability

CVE-2020-26939 - Medium Severity Vulnerability

CVE-2016-1000340 - High Severity Vulnerability

CVE-2016-1000352 - High Severity Vulnerability

CVE-2016-1000338 - High Severity Vulnerability

CVE-2017-9096 - High Severity Vulnerability

CVE-2016-1000343 - High Severity Vulnerability

CVE-2016-1000345 - Medium Severity Vulnerability

CVE-2016-1000342 - High Severity Vulnerability

CVE-2019-17359 - High Severity Vulnerability

CVE-2016-1000339 - Medium Severity Vulnerability

CVE-2018-1000180 - High Severity Vulnerability

CVE-2016-1000346 - Low Severity Vulnerability

CVE-2018-1000613 - High Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org