syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject syncope git commit: SYNCOPE-1168 - Encryptor pads short secret keys with "0" instead of random characters
Date Tue, 18 Jul 2017 11:02:13 GMT
Repository: syncope
Updated Branches:
  refs/heads/master eebca673e -> 4214a3892


SYNCOPE-1168 - Encryptor pads short secret keys with "0" instead of random characters


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/4214a389
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/4214a389
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/4214a389

Branch: refs/heads/master
Commit: 4214a38925ea07d6ab2a9d8bbf32fcd3fe0841d0
Parents: eebca67
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Jul 18 11:02:40 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Jul 18 11:36:21 2017 +0100

----------------------------------------------------------------------
 .../apache/syncope/core/spring/security/Encryptor.java | 11 +++++++----
 .../syncope/core/spring/security/EncryptorTest.java    | 13 +++++++++++--
 2 files changed, 18 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/4214a389/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
b/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
index af64177..a97094a 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
@@ -154,11 +154,14 @@ public final class Encryptor {
         String actualKey = secretKey;
         if (actualKey.length() < 16) {
             StringBuilder actualKeyPadding = new StringBuilder(actualKey);
-            for (int i = 0; i < 16 - actualKey.length(); i++) {
-                actualKeyPadding.append('0');
-            }
+            int length = 16 - actualKey.length();
+            String randomChars = SecureRandomUtils.generateRandomPassword(length);
+
+            actualKeyPadding.append(randomChars);
             actualKey = actualKeyPadding.toString();
-            LOG.debug("actualKey too short, adding some random characters");
+            LOG.warn("The secret key is too short (< 16), adding some random characters.
"
+                     + "Passwords encrypted with AES and this key will not be recoverable
"
+                     + "as a result if the container is restarted.");
         }
 
         try {

http://git-wip-us.apache.org/repos/asf/syncope/blob/4214a389/core/spring/src/test/java/org/apache/syncope/core/spring/security/EncryptorTest.java
----------------------------------------------------------------------
diff --git a/core/spring/src/test/java/org/apache/syncope/core/spring/security/EncryptorTest.java
b/core/spring/src/test/java/org/apache/syncope/core/spring/security/EncryptorTest.java
index 98c3f16..064d970 100644
--- a/core/spring/src/test/java/org/apache/syncope/core/spring/security/EncryptorTest.java
+++ b/core/spring/src/test/java/org/apache/syncope/core/spring/security/EncryptorTest.java
@@ -61,7 +61,16 @@ public class EncryptorTest {
 
     @Test
     public void testDecodeDefaultAESKey() throws Exception {
-        String password = encryptor.decode("9Pav+xl+UyHt02H9ZBytiA==", CipherAlgorithm.AES);
-        assertEquals("password", password);
+        String decPassword = encryptor.decode("9Pav+xl+UyHt02H9ZBytiA==", CipherAlgorithm.AES);
+        assertEquals(password, decPassword);
     }
+
+    @Test
+    public void testSmallKey() throws Exception {
+        Encryptor smallKeyEncryptor = Encryptor.getInstance("123");
+        String encPassword = smallKeyEncryptor.encode(password, CipherAlgorithm.AES);
+        String decPassword = smallKeyEncryptor.decode(encPassword, CipherAlgorithm.AES);
+        assertEquals(password, decPassword);
+    }
+
 }


Mime
View raw message