]
Martin Choma commented on ELY-1443:
-----------------------------------
You are right, this issue is just about case when user provided password is empty
"". Null is handled properly.
Do you think it is possible to add some TRACE logging into ScramDigestPasswordImpl for
troubleshooting purposes? To see what is going on and which part suceeded, but don't
leak any sensitive information on the other hand.
Jdbc-realm with scram mapper and empty password
-----------------------------------------------
Key: ELY-1443
URL:
https://issues.jboss.org/browse/ELY-1443
Project: WildFly Elytron
Issue Type: Bug
Components: Passwords
Affects Versions: 1.2.0.Beta9
Reporter: Martin Choma
Assignee: David Lloyd
This is follow up on ELY-1435, but in this case trying scram hash.
Salt: c2FsdA==
Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
Salt: 1000
I get these values by
{code:java|name=ScramDigestPasswordTest.java}
digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256,
"password".getBytes(StandardCharsets.UTF_8),
"salt".getBytes(StandardCharsets.UTF_8), 1000);
assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3",
ByteIterator.ofBytes(digest).hexEncode().drainToString());
spec = new IteratedSaltedHashPasswordSpec(digest,
"salt".getBytes(StandardCharsets.UTF_8), 1000);
impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
assertTrue(impl.verify("password".toCharArray()));
assertFalse(impl.verify("bad".toCharArray()));
Encoder encoder = Base64.getEncoder();
String elytronSalt = encoder.encodeToString( impl.getSalt() );
String elytronHash = encoder.encodeToString( impl.getDigest() );
int itertationCount = impl.getIterationCount();
{code}
When user provides empty password, there is error.
{noformat}
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback:
authenticationName = correctUser
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning:
[correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm
rewritten: [correctUser], realm rewritten: [correctUser]
17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery
SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery
SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id =
users_roles.userid AND roles.id = users_roles.roleid with value correctUser
17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery
SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling
request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty
key
at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
at
org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
at
org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
at
org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
at
org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
at
org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
at org.wildfly.security.credential.Credential.verify(Credential.java:79)
at
org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
at
org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
at
org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
at
org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
at
org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
at
org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
at
org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
at
org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
at
org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
at
org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
at
org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
at
org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
at
org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
at
org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
at
org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
{noformat}