Skip to Main Content
Spotfire Ideas Portal
Status Unlikely to implement
Product Spotfire
Categories Mods
Created by Guest
Created on Mar 23, 2022

mod's certificate is still considered valid after code signing certificate is revoked until Analyst/Web Player server is restarted

Mod's certificate is still considered valid after code signing certificate is revoked until Analyst/Web Player server is restarted.




Step to reproduce



(1) use spotfire account to develop and sign a mod, save it to library, create visualization from it and save the dxp.



(2) login with another account and trust the mod



(3) revoke spotfire account's code signing certificate used in step (1)



(4) the mod's signature is still considered valid after code signing certificate is revoked until Analyst/Web Player server is restarted.


I think it is reasonable that mod's signature should be considered invalid as soon as the certificate is revoked.


Also, If customer doesn't know about the necessity of service restart and keeps it running for a long period, the the revocation doesn't actually take any effect, this is a huge security vulnerability.


The product documentation doesn't mention this behavior at all.


  • Attach files
  • Guest
    Reply
    |
    Jun 15, 2022

    Hi Magnus ,


    Thanks.

    That makes sense.

    Please close this.


  • Admin
    Magnus Rylander
    Reply
    |
    Jun 10, 2022

    The reason for this behavior is that the revocation status is cached in the web player service. The cache entries expires so the certificate revocation will take effect eventually.

    The expiration time is determined by the OCSP response from the certificate authority (CA) according to the standard. The Spotfire server is the CA for certificates that are issued to Spotfire user. It is possible to control the cache expiration time in the Spotfire server using the setting "security.ca.ocsp.response-valid-for-seconds". It is currently not possible to override the expiration time given by a third-part CA.

    Finally, note that an existing analysis session is not affected by a certificate revocation. This is "as designed" and is consistent with other applications that relies on certificate verification.

  • Guest
    Reply
    |
    Mar 23, 2022

    This was first filed as support case 02093518 but determined as an ER.