[
https://issues.apache.org/jira/browse/LOG4J2-3508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539063#comment-17539063
]
Matt Sicker commented on LOG4J2-3508:
-------------------------------------
My preference here would be to see what you develop standalone. As much as I
love working with cryptographic primitives and building new protocols, that
isn't exactly my area of expertise (i.e., I'm not qualified to build anything
with older cryptographic primitives like RSA), so if we were to ever adopt this
into the core project, I'd really only be comfortable doing so with some sort
of accompanying cryptographic analysis. It's fairly straightforward to
implement signing given a certificate or key pair, but the hard part here would
be designing how this works with PKI or how to properly configure log signing
to preserve integrity and non-repudiation (something that signatures would give
us that, say, checksums and MACs don't).
If you're looking for somewhere to start on that aspect, I recommend checking
out [https://github.com/google/tink] for a library that starts with the key
management concern first rather than last.
In summary, though, I don't think we should add this directly to the core until
there's more interest in doing so along with additional security review since
none of us are professional cryptographers.
> Add a signature appender to the log4j2 core
> -------------------------------------------
>
> Key: LOG4J2-3508
> URL: https://issues.apache.org/jira/browse/LOG4J2-3508
> Project: Log4j 2
> Issue Type: New Feature
> Components: Appenders
> Reporter: Simon Huang
> Priority: Minor
>
> h2. Goal
> Merge our implementation of a Signature appender into the log4j2 core.
> h2. What is a signature appender?
> Hello log4j2 contributors,
> I am a working student at Siemens and my superiours were looking for a way to
> add a signature to their logs. The solution that we came up with is an outer
> appender that works similar to the failover appender, i.e. it adds a
> signature and delegates the appending to another appender.
> You can see our solution at
> [github|https://github.com/simon-hng-smns/log4j2_signature_appender/tree/main]
> as wenn as an [example
> implementation|https://github.com/simon-hng-smns/log4j2_signature_appender/tree/example-implementation].
> We would appreciate any and all feedback, and hope you can guide us to
> necessary changes, in order to incorporate our appender.
> h2. How does it work?
> The SignatureAppender takes in an inner appender, which can now use the
> {{%sign}} PatternConverter.
> {code:xml}
> <Appenders>
> <SignatureAppender name="signatureAppender"
> signatureAlgorithm="SHA256withRSA"
> pathToKeyStore="signatureKeyStore.p12"
> keyStorePassword="password"
> >
> <Console name="console">
> <PatternLayout pattern="[%sign] %m%n"/>
> </Console>
> </SignatureAppender>
> </Appenders>
> {code}
> h3. Creating the signature
> The signature is created using the internal java class {{Signature}}, which
> gets a formatted message and the last signature and signs like this
> {code:java}
> Signature.update(message + lastSignature)
> {code}
> h3. In general the steps are the following:
> # SignatureAppender gets LogEvent creates the formatted message.
> # Using this formatted message and the lastSignature, a signature is created
> which we use to create a LogEvent with the signature as a property
> # This new LogEvent is then send to the inner appender, where it is used by
> the SignaturePatternConverter
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
