[jboss-jira] [JBoss JIRA] (WFCORE-3068) Elytron - OTP seed attribute in ldap-realm is Base64 encoded

Jan Kalina (JIRA) issues at jboss.org
Mon Jul 17 07:33:00 EDT 2017 

     [ https://issues.jboss.org/browse/WFCORE-3068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina moved JBEAP-12158 to WFCORE-3068:
--------------------------------------------

              Project: WildFly Core  (was: JBoss Enterprise Application Platform)
                  Key: WFCORE-3068  (was: JBEAP-12158)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Security
                           (was: Security)
    Affects Version/s: 3.0.0.Beta28
                           (was: 7.1.0.ER2)


> Elytron - OTP seed attribute in ldap-realm is Base64 encoded
> ------------------------------------------------------------
>
>                 Key: WFCORE-3068
>                 URL: https://issues.jboss.org/browse/WFCORE-3068
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 3.0.0.Beta28
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Critical
>
> The {{ldap-realm.otp-credential-mapper.seed-from}} attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.
> The problem is in the Elytron class {{org.wildfly.security.auth.realm.ldap.OtpCredentialLoader}} which handles the encoding/decoding.
> The [OTP RFC 2289|https://tools.ietf.org/html/rfc2289] says
> {noformat}
>    The seed MUST consist of purely alphanumeric characters and MUST be
>    of one to 16 characters in length. The seed is a string of characters
>    that MUST not contain any blanks and SHOULD consist of strictly
>    alphanumeric characters from the ISO-646 Invariant Code Set.  The
>    seed MUST be case insensitive and MUST be internally converted to
>    lower case before it is processed.
> {noformat}
> I.e. There is no need to Base64-encode the String bytes.
> *Suggested fix*
> Don't encode/decode the LDAP attribute value.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list