Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-9966

jasypt encryption / decryption not working with strong algorithms from the unlimited strength JCE

    XMLWordPrintable

    Details

    • Sprint:
      Fuse 7.3 Sprint 41 - Dev #2
    • Steps to Reproduce:
      Hide

      Follow the instructions listed in the Fuse 7.2 security guide to download jasypt and encrypt property "mytextprop"

      ./encrypt.sh input="mytextprop" algorithm=PBEWITHHMACSHA256ANDAES_256 password=masterpasswd

      Copy the result to file $FUSE7.2_HOME/etc/enc.test.cfg like so:

      my.property=ENC(cjfupiLA3YD4Ce1ByqUD0eSpjtiAze8xhCjQvSLED2o=)

      Install the camel-jasypt and jasypt-encryption features in the karaf instance.

      Drop the blueprint file below into the deploy directory:

      <?xml version="1.0" encoding="UTF-8"?>
      <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
          xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"
          xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"
          xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
      
          <cm:property-placeholder id="enc.test.placeholder" persistent-id="enc.test" placeholder-prefix="$[" placeholder-suffix="]" update-strategy="reload"/>
      
          <enc:property-placeholder>
              <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
                  <property name="config">
                      <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
                          <property name="algorithm" value="PBEWITHHMACSHA512ANDAES_256"/>
                          <property name="passwordEnvName" value="ENCRYPTION_PASSWORD"/>
                      </bean>
                  </property>
              </enc:encryptor>
          </enc:property-placeholder>
          
          <bean
              class="org.apache.camel.component.jasypt.JasyptPropertiesParser" id="jasypt">
              <property name="algorithm" value="PBEWITHHMACSHA512ANDAES_256"/>
              <property name="password" value="sysenv:ENCRYPTION_PASSWORD"/>
          </bean>
      
          <camelContext id="log-example-context" xmlns="http://camel.apache.org/schema/blueprint" >
              
              <propertyPlaceholder id="properties" location="blueprint:enc.test.placeholder" propertiesParserRef="jasypt"/>
      
              <!--
                A very simple Camel route, that uses a timer to trigger a message every 5 second.
      
                The <setBody> sets a body into the Camel Message.
      
                The <log/> elements are used to add human-friendly business logging statements. They make it easier to see what the
                route is doing.
              -->
              <route id="log-route">
                  <from uri="timer:foo?period=5000"/>
                  <setBody>
                      <simple>Hello from Fuse based Camel route!</simple>
                  </setBody>
                  <log message="{{my.property}}"/>
              </route>
          </camelContext>
        
      </blueprint>
      

      Expected result:

      Camel starts up and begins logging lines like:

      19:09:29.477 INFO [Camel (log-example-context) thread #31 - timer://foo] mytextprop

      Actual result:

      EncryptionNotPossibleException is thrown.

      Show
      Follow the instructions listed in the Fuse 7.2 security guide to download jasypt and encrypt property "mytextprop" ./encrypt.sh input="mytextprop" algorithm=PBEWITHHMACSHA256ANDAES_256 password=masterpasswd Copy the result to file $FUSE7.2_HOME/etc/enc.test.cfg like so: my.property=ENC(cjfupiLA3YD4Ce1ByqUD0eSpjtiAze8xhCjQvSLED2o=) Install the camel-jasypt and jasypt-encryption features in the karaf instance. Drop the blueprint file below into the deploy directory: <?xml version= "1.0" encoding= "UTF-8" ?> <blueprint xmlns= "http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:cm = "http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0" xmlns:enc = "http://karaf.apache.org/xmlns/jasypt/v1.0.0" xmlns:ext = "http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://www.osgi.org/xmlns/blueprint/v1.0.0 https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd" > <cm:property-placeholder id= "enc.test.placeholder" persistent-id= "enc.test" placeholder-prefix= "$[" placeholder-suffix= "]" update-strategy= "reload" /> <enc:property-placeholder> <enc:encryptor class= "org.jasypt.encryption.pbe.StandardPBEStringEncryptor" > <property name= "config" > <bean class= "org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig" > <property name= "algorithm" value= "PBEWITHHMACSHA512ANDAES_256" /> <property name= "passwordEnvName" value= "ENCRYPTION_PASSWORD" /> </bean> </property> </enc:encryptor> </enc:property-placeholder> <bean class= "org.apache.camel.component.jasypt.JasyptPropertiesParser" id= "jasypt" > <property name= "algorithm" value= "PBEWITHHMACSHA512ANDAES_256" /> <property name= "password" value= "sysenv:ENCRYPTION_PASSWORD" /> </bean> <camelContext id= "log-example-context" xmlns= "http://camel.apache.org/schema/blueprint" > <propertyPlaceholder id= "properties" location= "blueprint:enc.test.placeholder" propertiesParserRef= "jasypt" /> <!-- A very simple Camel route, that uses a timer to trigger a message every 5 second. The <setBody> sets a body into the Camel Message. The <log/> elements are used to add human-friendly business logging statements. They make it easier to see what the route is doing. --> <route id= "log-route" > <from uri= "timer:foo?period=5000" /> <setBody> <simple> Hello from Fuse based Camel route! </simple> </setBody> <log message= "{{my.property}}" /> </route> </camelContext> </blueprint> Expected result: Camel starts up and begins logging lines like: 19:09:29.477 INFO [Camel (log-example-context) thread #31 - timer://foo] mytextprop Actual result: EncryptionNotPossibleException is thrown.
    • Workaround Description:
      Hide

      Adding the BouncyCastle jars to the jasypt distribution lib directory and selecting one of the supported BC algorithms seems to work:

      ./encrypt.sh input="mytextprop" algorithm=PBEWITHSHA-1AND256BITAES-CBC-BC password=masterpasswd providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvide
      
      ----OUTPUT----------------------
      
      yyXUVk0jbf+AaOITIhJlnNX2cORbsm2YoAkeeuaRMN0=
      
      ./decrypt.sh input="yyXUVk0jbf+AaOITIhJlnNX2cORbsm2YoAkeeuaRMN0=" algorithm=PBEWITHSHA-1AND256BITAES-CBC-BC password=masterpasswd providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvider
      
      ----ENVIRONMENT-----------------
      
      Runtime: Oracle Corporation OpenJDK 64-Bit Server VM 25.191-b12 
      
      
      
      ----ARGUMENTS-------------------
      
      algorithm: PBEWITHSHA-1AND256BITAES-CBC-BC
      input: yyXUVk0jbf+AaOITIhJlnNX2cORbsm2YoAkeeuaRMN0=
      password: masterpasswd
      providerClassName: org.bouncycastle.jce.provider.BouncyCastleProvider
      
      
      
      ----OUTPUT----------------------
      
      mytextprop
      

      Substituting the supported BC algorithm used above in the test blueprint resulted in a working route.

      Show
      Adding the BouncyCastle jars to the jasypt distribution lib directory and selecting one of the supported BC algorithms seems to work: ./encrypt.sh input= "mytextprop" algorithm=PBEWITHSHA-1AND256BITAES-CBC-BC password=masterpasswd providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvide ----OUTPUT---------------------- yyXUVk0jbf+AaOITIhJlnNX2cORbsm2YoAkeeuaRMN0= ./decrypt.sh input= "yyXUVk0jbf+AaOITIhJlnNX2cORbsm2YoAkeeuaRMN0=" algorithm=PBEWITHSHA-1AND256BITAES-CBC-BC password=masterpasswd providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvider ----ENVIRONMENT----------------- Runtime : Oracle Corporation OpenJDK 64-Bit Server VM 25.191-b12 ----ARGUMENTS------------------- algorithm: PBEWITHSHA-1AND256BITAES-CBC-BC input: yyXUVk0jbf+AaOITIhJlnNX2cORbsm2YoAkeeuaRMN0= password: masterpasswd providerClassName: org.bouncycastle.jce.provider.BouncyCastleProvider ----OUTPUT---------------------- mytextprop Substituting the supported BC algorithm used above in the test blueprint resulted in a working route.

      Description

      Following the instructions for encrypting property-placeholders described in the Fuse 7.2. document (https://access.redhat.com/documentation/en-us/red_hat_fuse/7.2/html/apache_karaf_security_guide/esbsecurecontainer#FMQSecurityEncryptProperties) works when using a weak algorithm like the PBEWithMD5AndDES; however, decryption fails when using a stronger algorithm like PBEWITHHMACSHA512ANDAES_256. This appears to be a bug with jasypt 1.9.2 itself with OpenJDK 1.8 (unlimited strength JCE enabled by default).

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  grgrzybek Grzegorz Grzybek
                  Reporter:
                  hawkinsds Duane Hawkins
                  Tester:
                  Vratislav Hais
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: