[jboss-jira] [JBoss JIRA] (ELY-1289) Elytron - OTP seed attribute in ldap-realm is Base64 encoded

Fri Jul 14 09:08:01 EDT 2017

Josef Cacek created ELY-1289:
--------------------------------

             Summary: Elytron - OTP seed attribute in ldap-realm is Base64 encoded
                 Key: ELY-1289
                 URL: https://issues.jboss.org/browse/ELY-1289
             Project: WildFly Elytron
          Issue Type: Bug
            Reporter: Josef Cacek
            Assignee: Darran Lofthouse
            Priority: Critical

The {{ldap-realm.otp-credential-mapper.seed-from}} attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.

The problem is in the Elytron class {{org.wildfly.security.auth.realm.ldap.OtpCredentialLoader}} which handles the encoding/decoding.

The [OTP RFC 2289|https://tools.ietf.org/html/rfc2289] says
{noformat}
   The seed MUST consist of purely alphanumeric characters and MUST be
   of one to 16 characters in length. The seed is a string of characters
   that MUST not contain any blanks and SHOULD consist of strictly
   alphanumeric characters from the ISO-646 Invariant Code Set.  The
   seed MUST be case insensitive and MUST be internally converted to
   lower case before it is processed.
{noformat}

I.e. There is no need to Base64-encode the String bytes.

*Suggested fix*
Don't encode/decode the LDAP attribute value.

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)