Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-851

Base64Utils class cuts leading zeroes from encoded bytes

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • PicketBox_4_0_21.Final
    • PicketBox_4_0_21.Beta2
    • None
    • None

    Description

      Vault util is failing for some password/salt/iteration combinations because Base64Utils class strips zeroes from provided byte array.

      So if a user encodes a key with length 8 and the leading byte of the key is zero, then after decoding he only gets 7 (or less) bytes.

      For instance:

      encode ( { 0, 81, 121, -37, 46, -64, 20, 114 } ) -> "1HUTikm1Ho"
decode ("1HUTikm1Ho") -> {  81, 121, -37, 46, -64, 20, 114  }

      As a result the PBEUtil will fail with javax.crypto.IllegalBlockSizeException.

      IMHO the same problem can occur on other places where the Base64Utils class is used (not only the Vault).

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. WFLY-3778 Tests in Manualmode test suite fail occasionally

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              josef.cacek@gmail.com Josef Cacek (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: