Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

manageLTPA: cannot decrypt keysPassword when wlp.password.encryption.key is specified #637

Open
jimmy1wu opened this issue Apr 23, 2024 · 0 comments
Open

manageLTPA: cannot decrypt keysPassword when wlp.password.encryption.key is specified #637

jimmy1wu opened this issue Apr 23, 2024 · 0 comments

Comments

@jimmy1wu
Copy link

jimmy1wu commented Apr 23, 2024
edited

manageLTPA encrypts the ltpa.keysPassword using the default wlp.password.encryption.key. thus, when an app specifies their own wlp.password.encryption.key, the ltpa.keysPassword fails to be decryped.

Steps to reproduce:

  1. Create a liberty app which sets <variable name="wlp.password.encryption.key" value="123" /> in the server.xml
  2. Set spec.manageLTPA: true in the WebSphereLibertyApplication
  3. Deploy the app WebSphereLibertyApplication

The following error is produced:

[4/16/24, 13:56:00:638 UTC] 0000002b com.ibm.websphere.crypto.PasswordUtil                        E CWWKS1856E: The password was not processed because an unknown password algorithm exception was reported.
com.ibm.websphere.crypto.UnsupportedCryptoAlgorithmException
	at com.ibm.ws.crypto.util.PasswordCipherUtil.aesDecipher(PasswordCipherUtil.java:269)
	at com.ibm.ws.crypto.util.PasswordCipherUtil.decipher(PasswordCipherUtil.java:202)
	at com.ibm.websphere.crypto.PasswordUtil.decode_password(PasswordUtil.java:638)
	at com.ibm.websphere.crypto.PasswordUtil.passwordDecode(PasswordUtil.java:437)
	at com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask.getKeyPasswordBytes(LTPAKeyCreateTask.java:52)
	at com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask.getPreparedLtpaKeyInfoManager(LTPAKeyCreateTask.java:59)
	at com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask.createRequiredCollaborators(LTPAKeyCreateTask.java:95)
	at com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask.run(LTPAKeyCreateTask.java:105)
	at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:280)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:857)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:917)
	at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:997)
	at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:771)
	at java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436)
	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2263)
	at com.ibm.ws.crypto.util.PasswordCipherUtil.aesDecipher(PasswordCipherUtil.java:255)
	... 11 more

References:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jimmy1wu