Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3068

Elytron - OTP seed attribute in ldap-realm is Base64 encoded

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Critical
    • None
    • 3.0.0.Beta28
    • Security
    • None

    Description

      The ldap-realm.otp-credential-mapper.seed-from attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.

      The problem is in the Elytron class org.wildfly.security.auth.realm.ldap.OtpCredentialLoader which handles the encoding/decoding.

      The OTP RFC 2289 says

         The seed MUST consist of purely alphanumeric characters and MUST be
   of one to 16 characters in length. The seed is a string of characters
   that MUST not contain any blanks and SHOULD consist of strictly
   alphanumeric characters from the ISO-646 Invariant Code Set.  The
   seed MUST be case insensitive and MUST be internally converted to
   lower case before it is processed.

      I.e. There is no need to Base64-encode the String bytes.

      Suggested fix
      Don't encode/decode the LDAP attribute value.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12140 Elytron - OTP seed attribute in ldap-realm is Base64 encoded

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: