Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1289

Elytron - OTP seed attribute in ldap-realm is Base64 encoded

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.CR3
    • Component/s: None
    • Labels:
      None

      Description

      The ldap-realm.otp-credential-mapper.seed-from attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.

      The problem is in the Elytron class org.wildfly.security.auth.realm.ldap.OtpCredentialLoader which handles the encoding/decoding.

      The OTP RFC 2289 says

         The seed MUST consist of purely alphanumeric characters and MUST be
         of one to 16 characters in length. The seed is a string of characters
         that MUST not contain any blanks and SHOULD consist of strictly
         alphanumeric characters from the ISO-646 Invariant Code Set.  The
         seed MUST be case insensitive and MUST be internally converted to
         lower case before it is processed.
      

      I.e. There is no need to Base64-encode the String bytes.

      Suggested fix
      Don't encode/decode the LDAP attribute value.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: