[jboss-jira] [JBoss JIRA] (SECURITY-851) Base64Utils class cuts leading zeroes from encoded bytes
RH Bugzilla Integration (JIRA)
issues at jboss.org
Tue Sep 16 15:15:25 EDT 2014
[ https://issues.jboss.org/browse/SECURITY-851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13003172#comment-13003172 ]
RH Bugzilla Integration commented on SECURITY-851:
--------------------------------------------------
Paul Gier <pgier at redhat.com> changed the Status of [bug 1125004|https://bugzilla.redhat.com/show_bug.cgi?id=1125004] from MODIFIED to ON_QA
> Base64Utils class cuts leading zeroes from encoded bytes
> --------------------------------------------------------
>
> Key: SECURITY-851
> URL: https://issues.jboss.org/browse/SECURITY-851
> Project: PicketBox
> Issue Type: Bug
> Affects Versions: PicketBox_4_0_21.Beta2
> Reporter: Josef Cacek
> Assignee: Josef Cacek
> Priority: Blocker
> Fix For: PicketBox_4_0_21.Beta4
>
>
> Vault util is failing for some password/salt/iteration combinations because Base64Utils class strips zeroes from provided byte array.
> So if a user encodes a key with length 8 and the leading byte of the key is zero, then after decoding he only gets 7 (or less) bytes.
> For instance:
> {code}
> encode ( { 0, 81, 121, -37, 46, -64, 20, 114 } ) -> "1HUTikm1Ho"
> decode ("1HUTikm1Ho") -> { 81, 121, -37, 46, -64, 20, 114 }
> {code}
> As a result the PBEUtil will fail with javax.crypto.IllegalBlockSizeException.
> IMHO the same problem can occur on other places where the Base64Utils class is used (not only the Vault).
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
More information about the jboss-jira
mailing list