[jboss-jira] [JBoss JIRA] (ELY-1289) Elytron - OTP seed attribute in ldap-realm is Base64 encoded
Jan Kalina (JIRA)
issues at jboss.org
Mon Jul 17 04:54:01 EDT 2017
[ https://issues.jboss.org/browse/ELY-1289?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Kalina reassigned ELY-1289:
-------------------------------
Assignee: Jan Kalina (was: Darran Lofthouse)
> Elytron - OTP seed attribute in ldap-realm is Base64 encoded
> ------------------------------------------------------------
>
> Key: ELY-1289
> URL: https://issues.jboss.org/browse/ELY-1289
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Josef Cacek
> Assignee: Jan Kalina
> Priority: Critical
>
> The {{ldap-realm.otp-credential-mapper.seed-from}} attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.
> The problem is in the Elytron class {{org.wildfly.security.auth.realm.ldap.OtpCredentialLoader}} which handles the encoding/decoding.
> The [OTP RFC 2289|https://tools.ietf.org/html/rfc2289] says
> {noformat}
> The seed MUST consist of purely alphanumeric characters and MUST be
> of one to 16 characters in length. The seed is a string of characters
> that MUST not contain any blanks and SHOULD consist of strictly
> alphanumeric characters from the ISO-646 Invariant Code Set. The
> seed MUST be case insensitive and MUST be internally converted to
> lower case before it is processed.
> {noformat}
> I.e. There is no need to Base64-encode the String bytes.
> *Suggested fix*
> Don't encode/decode the LDAP attribute value.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list