[jboss-jira] [JBoss JIRA] Issue Comment Edited: (SECURITY-344) Error decrypting datasource password with SecureIdentityLoginModule
Christian Schlüter (JIRA)
jira-events at lists.jboss.org
Fri Feb 4 02:31:39 EST 2011
[ https://issues.jboss.org/browse/SECURITY-344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12580089#comment-12580089 ]
Christian Schlüter edited comment on SECURITY-344 at 2/4/11 2:30 AM:
---------------------------------------------------------------------
Hi,
the provided patch does not fix the bug correctly.
Two examples:
passwort "dv" cannot be decrypted (javax.crypto.BadPaddingException: Given final block not properly padded)
even worse:
"aan2o1Y%" is encrypted an decrypted to "0?_»Í�m5".
The problem is that negative BigIntegers need no leading zeroes but leading -1.
Solution:
add the following if-statement in decode-method:
for (int i = old.length - 1; i >= 0; i--)
{
encoding[i + pad] = old[i];
}
if (n.signum() == -1)
{
for (int i = 0; i < newLength - length; i++)
{
encoding[i] = (byte) -1;
}
}
was (Author: christian_schlueter):
Hi,
the provided patch does not fix the bug correctly
> Error decrypting datasource password with SecureIdentityLoginModule
> -------------------------------------------------------------------
>
> Key: SECURITY-344
> URL: https://issues.jboss.org/browse/SECURITY-344
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: JBossSX
> Affects Versions: JBossSecurity_2.0.2.SP3
> Reporter: Marcus Moyses
> Assignee: Marcus Moyses
> Fix For: JBossSecurity_2.0.2.SP4
>
>
> During password decryption using SecureIdentityLoginModule there could be an error due to missing leading zeros for certain passwords.
> This error might appear in the log:
> [SecureIdentityLoginModule] Failed to decode password
> javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
> at com.sun.crypto.provider.SunJCE_h.b(DashoA12275)
> at com.sun.crypto.provider.SunJCE_h.b(DashoA12275)
> at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(DashoA12275)
> at javax.crypto.Cipher.doFinal(DashoA12275)
> at org.jboss.resource.security.SecureIdentityLoginModule.decode(SecureIdentityLoginModule.java:173)
> at org.jboss.resource.security.SecureIdentityLoginModule.commit(SecureIdentityLoginModule.java:114)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list