[jboss-jira] [JBoss JIRA] (JBAS-8162) Failed to encode/decode password with name "pinaki" using SecureIdentityLoginModule
Denis . (JIRA)
jira-events at lists.jboss.org
Thu Mar 28 17:47:43 EDT 2013
[ https://issues.jboss.org/browse/JBAS-8162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12763904#comment-12763904 ]
Denis . commented on JBAS-8162:
-------------------------------
We ran into this issue earlier this week. It's a bug in SecureIdentityLoginModule. The problem is that using BigInteger to convert to and from raw bytes causes the most significant zeros to be dropped. They are not important mathematically (e.g. 023 is same as 23) but they are important cryptographically. In the end it means that exactly 1 of every 256 passwords will not work with JBoss.
I applied the patch below to our systems (the "encoding.length & 7" if statement is new). It doesn't fully address the problem as there's still a 1 in 2^32 chance that a password will not work, but the change is fully backward compatible with the original code.
{noformat}
private static char[] decode(String secret)
throws NoSuchPaddingException, NoSuchAlgorithmException,
InvalidKeyException, BadPaddingException, IllegalBlockSizeException
{
byte[] kbytes = "jaas is the way".getBytes();
SecretKeySpec key = new SecretKeySpec(kbytes, "Blowfish");
BigInteger n = new BigInteger(secret, 16);
byte[] encoding = n.toByteArray();
// reinstate any dropped bytes
if ((encoding.length & 7) != 0) {
final int newLength = ((encoding.length >> 3) + 1) << 3;
byte[] fixedEncoding = new byte[newLength];
for (int i = 1; i < newLength - encoding.length; i++) {
fixedEncoding[i] = 0;
}
System.arraycopy(encoding, 0, fixedEncoding, (newLength - encoding.length), encoding.length);
fixedEncoding[0] = (n.compareTo(BigInteger.ZERO) < 0) ? (byte) -1 : 0;
encoding = fixedEncoding;
}
Cipher cipher = Cipher.getInstance("Blowfish");
cipher.init(Cipher.DECRYPT_MODE, key);
byte[] decode = cipher.doFinal(encoding);
return new String(decode).toCharArray();
}
{noformat}
> Failed to encode/decode password with name "pinaki" using SecureIdentityLoginModule
> -----------------------------------------------------------------------------------
>
> Key: JBAS-8162
> URL: https://issues.jboss.org/browse/JBAS-8162
> Project: Application Server 3 4 5 and 6
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: JCA service
> Affects Versions: JBossAS-4.2.3.GA
> Environment: Any Operating system
> Reporter: Ravi Sankar
> Assignee: Jesper Pedersen
> Fix For: No Release
>
> Original Estimate: 3 days
> Remaining Estimate: 3 days
>
> When trying to encode/decode a password with characters "pinaki" using "SecureIdentityLoginModule" from JBOSS-JCA.JAR, i am getting the following excpetion.
> One of our customers are using this as a password. I am not getting this exception for any other passwords except "pinaki"
> Password After encrption: "-4fb8f7c76b11ab"
> Exception in thread "main" javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at SecureIdentityLoginModule.decode(SecureIdentityLoginModule.java:39)
> at SecureIdentityLoginModule.main(SecureIdentityLoginModule.java:48)
> Please help me to get this issue resolved. Customer is behind me.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list