Here you go: Issue: https://issues.apache.org/jira/browse/SHIRO-736 PR: https://github.com/apache/shiro/pull/194
CLA is signed. Maybe CC the apache security team to review the claims made by the people on stack overflow and stackexchange? I can only verify that this works for JVMs which do not support the PKCS5 padding mode on AES/GCM. Am Di., 14. Jan. 2020 um 15:26 Uhr schrieb Colm O hEigeartaigh <cohei...@apache.org>: > > Yes, that makes sense to me, please create a PR. > > Colm. > > On Tue, Jan 14, 2020 at 2:17 PM Benjamin Marwell <bmarw...@gmail.com> wrote: > > > Dear devs, > > > > just another quick note. > > > > I found out that the default cipher was changed to > > "AES/GCM/PKCS5Padding" in 1.4.2 for security reasons. However, GCM is > > a streaming algorithm and does not support Padding[1]. In this case > > this algorithm name is just a synonym to "AES/GCM/NOPADDING" in most > > JDKs and JREs[1]. > > > > However, some older (Adopt Open / IBM) J9 JVMs do not seem to support > > this alias "AES/GCM/PKCS5Padding". > > > > Thus, I would like to propose to add this line to > > AesCipherService.java in the constructor: > > setPaddingScheme( PaddingScheme.NONE.getTransformationName() ); > > > > If you agree, I can create an issue and a PR. > > > > Best regards, > > Ben > > > > [1] https://crypto.stackexchange.com/a/42413 > > [2] https://stackoverflow.com/a/31249214/1549977 > >