[ https://issues.apache.org/jira/browse/SHIRO-736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated SHIRO-736: -------------------------------------- Fix Version/s: 1.5.0 > DefaultCipherInstance is an alias which is not available in every JVM or JCA > Provider > ------------------------------------------------------------------------------------- > > Key: SHIRO-736 > URL: https://issues.apache.org/jira/browse/SHIRO-736 > Project: Shiro > Issue Type: Bug > Components: Cryptography & Hashing > Affects Versions: 1.4.2, 1.5.0 > Reporter: Benjamin Marwell > Priority: Major > Labels: default, exceptions, security > Fix For: 1.5.0 > > Original Estimate: 1h > Time Spent: 10m > Remaining Estimate: 50m > > Dear all, > h2. Problem Description > the default cipher instance for the RememberMe Manager is set in the > AbstractRememberMeManager's constructor: > {{AesCipherService cipherService = new AesCipherService();}} > Now, AesCipherService sets the Algorithm to AES and OperationMode to GCM in > its constructor, but it inherits it's parents PaddingMode. Since the parent > is "DefaultBlockCipherService" which is a block cipher service (as the name > suggests), a padding is set and defaults to PKCS5. > This results in the method call {{javax.crypto.Cipher.getInstance( > "AES/GCM/PKCS5Padding" )}}. Most JVMs can handle this well and will use > {{javax.crypto.Cipher.getInstance( "AES/GCM/NoPadding" )}} internally, but > some do not, because Padding with a streaming cipher does not seem specified. > > Therefore, the default shiro setup will not work on such JVMs, which is a > regression: > {{java.security.NoSuchAlgorithmException: Cannot find any provider supporting > AES/GCM/PKCS5Padding}} > > h2. Workarounds > Use this configuration in {{shiro.ini}}. > Note that you would not gain from security updates this way which is a big > drawback! > {code:java} > cipherService = org.apache.shiro.crypto.AesCipherService > cipherService.paddingSchemeName = NoPadding > securityManager.rememberMeManager.cipherService = $cipherService {code} > > h2. Proposed Solution > In {{AesCipherService}}, add this line to the constructor: > {{setPaddingMode(PaddingMode.NONE.getTransformationName());}} > > h2. Affected Versions > I also added 1.5.0 as affected, becaue I guess it might not make it. Remove > this version from the affected versions list if applicable. -- This message was sent by Atlassian Jira (v8.3.4#803005)