[jboss-jira] [JBoss JIRA] (SECURITY-851) Base64Util class is stripping leading zeroes from encoded bytes
Josef Cacek (JIRA)
issues at jboss.org
Thu Jul 31 09:44:31 EDT 2014
Josef Cacek created SECURITY-851:
------------------------------------
Summary: Base64Util class is stripping leading zeroes from encoded bytes
Key: SECURITY-851
URL: https://issues.jboss.org/browse/SECURITY-851
Project: PicketBox
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: PicketBox_4_0_21.Beta2
Reporter: Josef Cacek
Assignee: Josef Cacek
Priority: Blocker
Vault util is failing for some password/salt/iteration combinations because Base64Utils class strips zeroes from provided byte array.
So if a user encodes a key with length 8 and the leading byte of the key is zero, then after decoding he only gets 7 (or less) bytes.
For instance:
{code}
encode ( { 0, 81, 121, -37, 46, -64, 20, 114 } ) -> "1HUTikm1Ho"
decode ("1HUTikm1Ho") -> { 81, 121, -37, 46, -64, 20, 114 }
{code}
As a result the PBEUtil will fail with javax.crypto.IllegalBlockSizeException.
IMHO the same problem can occur on other places where the Base64Utils class is used (not only the Vault).
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the jboss-jira
mailing list