This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 607ebc0fa5 Add support for new algorithms provided by JPA providers
607ebc0fa5 is described below
commit 607ebc0fa522bd9e8c05517baa2d179bbd1e659c
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Mar 13 13:18:39 2026 +0000
Add support for new algorithms provided by JPA providers
---
.../group/interceptors/EncryptInterceptor.java | 64 ++++++--
.../group/interceptors/LocalStrings.properties | 5 +-
.../group/interceptors/LocalStrings_fr.properties | 1 -
.../group/interceptors/LocalStrings_ja.properties | 1 -
.../group/interceptors/LocalStrings_ko.properties | 1 -
.../interceptors/LocalStrings_zh_CN.properties | 1 -
.../group/interceptors/TestEncryptInterceptor.java | 58 --------
.../TestEncryptInterceptorAlgorithms.java | 162 +++++++++++++++++++++
webapps/docs/changelog.xml | 4 +
webapps/docs/config/cluster-interceptor.xml | 19 ++-
10 files changed, 231 insertions(+), 85 deletions(-)
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
index eb46e5259f..563e61337b 100644
--- a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
+++ b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
@@ -21,6 +21,7 @@ import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
+import java.util.Locale;
import java.util.concurrent.ConcurrentLinkedQueue;
import javax.crypto.Cipher;
@@ -41,7 +42,6 @@ import org.apache.catalina.tribes.util.StringManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
-
/**
* Adds encryption using a pre-shared key. The length of the key (in bytes)
must be acceptable for the encryption
* algorithm being used. For example, for AES, you must use a key of either 16
bytes (128 bits, 24 bytes 192 bits), or
@@ -139,17 +139,18 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
xbb.clear();
xbb.append(data, 0, data.length);
- super.messageReceived(msg);
} catch (GeneralSecurityException gse) {
log.error(sm.getString("encryptInterceptor.decrypt.failed"), gse);
}
+ super.messageReceived(msg);
}
/**
* Sets the encryption algorithm to be used for encrypting and decrypting
channel messages. You must specify the
* <code>algorithm/mode/padding</code>. Information on standard algorithm
names may be found in the
* <a
href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html";>Java
- * documentation</a>. Default is <code>AES/CBC/PKCS5Padding</code>.
+ * documentation</a>. Default is <code>AES/CBC/PKCS5Padding</code> for
backwards compatibility but it is recommended
+ * that <code>AES/GCM/NoPadding</code> is used.
*
* @param algorithm The algorithm to use.
*/
@@ -313,33 +314,68 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
String algorithmName;
String algorithmMode;
+ String algorithmPadding;
- // We need to break-apart the algorithm name e.g. AES/CBC/PKCS5Padding
+ // We need to break-apart the algorithm name e.g. AES/GCM/NoPadding
// take just the algorithm part.
int pos = algorithm.indexOf('/');
if (pos >= 0) {
- algorithmName = algorithm.substring(0, pos);
+ algorithmName = algorithm.substring(0,
pos).toUpperCase(Locale.ENGLISH);
int pos2 = algorithm.indexOf('/', pos + 1);
if (pos2 >= 0) {
- algorithmMode = algorithm.substring(pos + 1, pos2);
+ algorithmMode = algorithm.substring(pos + 1,
pos2).toUpperCase(Locale.ENGLISH);
+ algorithmPadding = algorithm.substring(pos2 +
1).toUpperCase(Locale.ENGLISH);
} else {
- algorithmMode = "CBC";
+ algorithmMode = "GCM";
+ algorithmPadding = "NOPADDING";
}
} else {
algorithmName = algorithm;
- algorithmMode = "CBC";
+ algorithmMode = "GCM";
+ algorithmPadding = "NOPADDING";
}
- if ("GCM".equalsIgnoreCase(algorithmMode)) {
+ /*
+ * Limit the cipher algorithm modes available. The limits are based on
the cipher algorithm modes listed in the
+ * Java Standard Names documentation. Those modes that are not
appropriate or provide no protection are blocked.
+ * Where there are performance or security concerns regarding a mode,
a warning is logged. Unrecognised modes,
+ * such as those provided by custom JCA providers are allowed but will
be rejected if there is no JCA provider
+ * to support them.
+ */
+ if ("NONE".equals(algorithmMode) || "ECB".equals(algorithmMode) ||
"PCBC".equals(algorithmMode) ||
+ "CTS".equals(algorithmMode) || "KW".equals(algorithmMode) ||
"KWP".equals(algorithmMode) ||
+ "CTR".equals(algorithmMode) ||
+ ("CBC".equals(algorithmMode) &&
"NOPADDING".equals(algorithmPadding)) ||
+ ("CFB".equals(algorithmMode) &&
"NOPADDING".equals(algorithmPadding)) ||
+ ("GCM".equals(algorithmMode) &&
"PKCS5PADDING".equals(algorithmPadding)) ||
+ ("OFB".equals(algorithmMode) &&
"NOPADDING".equals(algorithmPadding))) {
+ // Insecure, unsuitable or unsupported
+ throw new
IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported",
algorithm));
+
+ } else if (("CBC".equals(algorithmMode) &&
"PKCS5PADDING".equals(algorithmPadding)) ||
+ ("CFB".equals(algorithmMode) &&
"PKCS5PADDING".equals(algorithmPadding)) ||
+ ("OFB".equals(algorithmMode) &&
"PKCS5PADDING".equals(algorithmPadding))) {
+ // Supported but not recommended as more secure modes are available
+ log.warn(sm.getString("encryptInterceptor.algorithm.switch",
algorithm));
+
+ } else if (algorithmMode.startsWith("CFB") ||
algorithmMode.startsWith("OFB")) {
+ // Using a non-default block size. Not supported as insecure
and/or inefficient.
+ throw new IllegalArgumentException(
+ sm.getString("encryptInterceptor.algorithm.unsupported",
algorithm));
+
+ } else if ("GCM".equalsIgnoreCase(algorithmMode) &&
"NOPADDING".equals(algorithmPadding)) {
+ // Needs a specialised encryption manager to handle the
differences between GCM and other modes
return new GCMEncryptionManager(algorithm, new
SecretKeySpec(encryptionKey, algorithmName), providerName);
- } else if ("CBC".equalsIgnoreCase(algorithmMode) ||
"OFB".equalsIgnoreCase(algorithmMode) ||
- "CFB".equalsIgnoreCase(algorithmMode)) {
+ }
+
+ // Use the default encryption manager
+ try {
return new BaseEncryptionManager(algorithm, new
SecretKeySpec(encryptionKey, algorithmName), providerName);
- } else {
- throw new IllegalArgumentException(
-
sm.getString("encryptInterceptor.algorithm.unsupported-mode", algorithmMode));
+ } catch (NoSuchAlgorithmException | NoSuchPaddingException |
NoSuchProviderException ex) {
+ throw new
IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported",
algorithmMode),
+ ex);
}
}
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings.properties
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings.properties
index 23568e4fcf..6030d789f5 100644
--- a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings.properties
+++ b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings.properties
@@ -19,8 +19,9 @@
domainFilterInterceptor.member.refused=Member [{0}] was refused to join cluster
domainFilterInterceptor.message.refused=Received message from cluster[{0}] was
refused.
-encryptInterceptor.algorithm.required=Encryption algorithm is required,
fully-specified e.g. AES/CBC/PKCS5Padding
-encryptInterceptor.algorithm.unsupported-mode=EncryptInterceptor does not
support block cipher mode [{0}]
+encryptInterceptor.algorithm.required=Encryption algorithm is required,
fully-specified e.g. AES/GCM/NoPadding
+encryptInterceptor.algorithm.switch=The EncryptInterceptor is using the
algorithm [{0}]. It is recommended to switch to using AES/GCM/NoPadding.
+encryptInterceptor.algorithm.unsupported=EncryptInterceptor does not support
algorithm [{0}]
encryptInterceptor.decrypt.error.short-message=Failed to decrypt message:
premature end-of-message
encryptInterceptor.decrypt.failed=Failed to decrypt message
encryptInterceptor.encrypt.failed=Failed to encrypt message
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_fr.properties
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_fr.properties
index 4765a53b30..d95e1f5a70 100644
---
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_fr.properties
+++
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_fr.properties
@@ -20,7 +20,6 @@ domainFilterInterceptor.member.refused=Le membre [{0}] a été
refusé dans le c
domainFilterInterceptor.message.refused=Le message reçu du cluster [{0}] a été
refusé
encryptInterceptor.algorithm.required=Un algorithme de cryptage est requis,
avec une spécification complète telle que AES/CBC/PKCS5Padding
-encryptInterceptor.algorithm.unsupported-mode=L''EncryptInterceptor ne
supporte pas le mode de chiffrage de bloc [{0}]
encryptInterceptor.decrypt.error.short-message=Echec du décryptage du message
: fin de message prématuré
encryptInterceptor.decrypt.failed=Echec de décryptage du message
encryptInterceptor.encrypt.failed=Erreur de cryptage du message
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ja.properties
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ja.properties
index 90c4248351..818b9a871b 100644
---
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ja.properties
+++
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ja.properties
@@ -20,7 +20,6 @@ domainFilterInterceptor.member.refused=メンバーはクラスター [{0}] へ
domainFilterInterceptor.message.refused=クラスター [{0}] から受信したメッセージは拒否されました。
encryptInterceptor.algorithm.required=暗号化アルゴリズムが必要です。完全指定。 AES/CBC/PKCS5Padding
-encryptInterceptor.algorithm.unsupported-mode=EncryptInterceptorはブロック暗号モード
[{0}]をサポートしていません。
encryptInterceptor.decrypt.error.short-message=メッセージの復号に失敗: メッセージの末尾が途切れています
encryptInterceptor.decrypt.failed=メッセージの復号に失敗しました。
encryptInterceptor.encrypt.failed=メッセージを暗号化できません。
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ko.properties
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ko.properties
index d6d91c8f53..fba6444989 100644
---
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ko.properties
+++
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ko.properties
@@ -20,7 +20,6 @@ domainFilterInterceptor.member.refused=멤버 [{0}]이(가) 클러스터에 참
domainFilterInterceptor.message.refused=클러스터 [{0}](으)로부터 받은 메시지가 거부되었습니다.
encryptInterceptor.algorithm.required=암호화 알고리즘을 완전하게 지정해야 합니다. 예)
AES/CBC/PKCS5Padding.
-encryptInterceptor.algorithm.unsupported-mode=EncryptInterceptor가 블록 cipher 모드
[{0}]을(를) 지원하지 않습니다.
encryptInterceptor.decrypt.error.short-message=메시지를 해독하지 못했습니다: 메시지가 너무 일찍
끝났습니다 (premature end-of-message).
encryptInterceptor.decrypt.failed=메시지를 해독하지 못했습니다.
encryptInterceptor.encrypt.failed=메시지를 암호화하지 못했습니다.
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_zh_CN.properties
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_zh_CN.properties
index 3ec23611f2..1a44c0c1ce 100644
---
a/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_zh_CN.properties
+++
b/java/org/apache/catalina/tribes/group/interceptors/LocalStrings_zh_CN.properties
@@ -20,7 +20,6 @@ domainFilterInterceptor.member.refused=成员被拒绝加入集群 cluster[{0}]
domainFilterInterceptor.message.refused=从集群[{0}]中接收的消息被拒绝
encryptInterceptor.algorithm.required=加密算法是必需的,充分说明,例如AES / CBC / PKCS5Padding
-encryptInterceptor.algorithm.unsupported-mode=EncryptInterceptor不支持分组密码模式[{0}]
encryptInterceptor.decrypt.error.short-message=解密消息失败: 结尾消息提前结束
encryptInterceptor.decrypt.failed=无法解密信息
encryptInterceptor.encrypt.failed=无法加密信息
diff --git
a/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
b/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
index 5815d274ff..e99d85f401 100644
---
a/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
+++
b/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
@@ -160,64 +160,6 @@ public class TestEncryptInterceptor extends
EncryptionInterceptorBaseTest {
roundTrip(testInput, src, dest));
}
- @Test
- public void testOFB() throws Exception {
- src.setEncryptionAlgorithm("AES/OFB/PKCS5Padding");
- src.start(Channel.SND_TX_SEQ);
- dest.setEncryptionAlgorithm("AES/OFB/PKCS5Padding");
- dest.start(Channel.SND_TX_SEQ);
-
- String testInput = "The quick brown fox jumps over the lazy dog.";
-
- Assert.assertEquals("Failed in OFB mode",
- testInput,
- roundTrip(testInput, src, dest));
- }
-
- @Test
- public void testCFB() throws Exception {
- src.setEncryptionAlgorithm("AES/CFB/PKCS5Padding");
- src.start(Channel.SND_TX_SEQ);
- dest.setEncryptionAlgorithm("AES/CFB/PKCS5Padding");
- dest.start(Channel.SND_TX_SEQ);
-
- String testInput = "The quick brown fox jumps over the lazy dog.";
-
- Assert.assertEquals("Failed in CFB mode",
- testInput,
- roundTrip(testInput, src, dest));
- }
-
- @Test
- public void testGCM() throws Exception {
- src.setEncryptionAlgorithm("AES/GCM/NoPadding");
- src.start(Channel.SND_TX_SEQ);
- dest.setEncryptionAlgorithm("AES/GCM/NoPadding");
- dest.start(Channel.SND_TX_SEQ);
-
- String testInput = "The quick brown fox jumps over the lazy dog.";
-
- Assert.assertEquals("Failed in GCM mode",
- testInput,
- roundTrip(testInput, src, dest));
- }
-
- /*
- * ECB mode isn't supported because it's insecure.
- */
- @Test
- public void testECB() throws Exception {
- try {
- src.setEncryptionAlgorithm("AES/ECB/PKCS5Padding");
- src.start(Channel.SND_TX_SEQ);
-
- // start() should trigger IllegalArgumentException
- Assert.fail("ECB mode is not being refused");
- } catch (IllegalArgumentException iae) {
- // Expected
- }
- }
-
@Test
public void testViaFile() throws Exception {
src.start(Channel.SND_TX_SEQ);
diff --git
a/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptorAlgorithms.java
b/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptorAlgorithms.java
new file mode 100644
index 0000000000..a8cd51da84
--- /dev/null
+++
b/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptorAlgorithms.java
@@ -0,0 +1,162 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.tribes.group.interceptors;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
+
+import org.apache.catalina.tribes.Channel;
+
+@RunWith(Parameterized.class)
+public class TestEncryptInterceptorAlgorithms extends
EncryptionInterceptorBaseTest {
+
+ @Parameters(name = "{index} {0}/{1}/{2}")
+ public static Collection<Object[]> inputs() {
+
+ List<Object[]> result = new ArrayList<>();
+ // Covers all cipher algorithm modes currently listed in Java Standard
Names
+
+ // Not supported - Insecure
+ result.add(new Object[] { "AES", "NONE", "NoPadding", Boolean.FALSE});
+ // Not supported - Insecure - Padding makes no sense if there is no
encryption
+ result.add(new Object[] { "AES", "NONE", "PKCS5Padding",
Boolean.FALSE});
+
+ // Not supported - NoPadding requires fixed block size and cluster
messages are variable length
+ result.add(new Object[] { "AES", "CBC", "NoPadding", Boolean.FALSE});
+ // Supported but not recommended - possible security issues in some
configurations - backwards compatibility
+ result.add(new Object[] { "AES", "CBC", "PKCS5Padding", Boolean.TRUE});
+
+ // Not supported - JCA provider doesn't included it
+ result.add(new Object[] { "AES", "CCM", "NoPadding", Boolean.FALSE});
+ // Not supported - JCA provider doesn't included it - CCM doesn't need
(support?) padding
+ result.add(new Object[] { "AES", "CCM", "PKCS5Padding",
Boolean.FALSE});
+
+ // Not supported - NoPadding requires fixed block size and cluster
messages are variable length
+ result.add(new Object[] { "AES", "CFB", "NoPadding", Boolean.FALSE});
+ // Supported but not recommended - possible security issues in some
configurations - backwards compatibility
+ result.add(new Object[] { "AES", "CFB", "PKCS5Padding", Boolean.TRUE});
+
+ // Not supported - Insecure and/or slow
+ result.add(new Object[] { "AES", "CFB8", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "CFB8", "PKCS5Padding",
Boolean.FALSE});
+ result.add(new Object[] { "AES", "CFB16", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "CFB16", "PKCS5Padding",
Boolean.FALSE});
+ // large block sizes not tested but will be rejected as well
+
+ // Not supported - Insecure
+ result.add(new Object[] { "AES", "CTR", "NoPadding", Boolean.FALSE});
+ // Not supported - Configuration not recommended
+ result.add(new Object[] { "AES", "CTR", "PKCS5Padding",
Boolean.FALSE});
+
+ // Not supported - has minimum length
+ result.add(new Object[] { "AES", "CTS", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "CTS", "PKCS5Padding",
Boolean.FALSE});
+
+ // Not supported - Insecure
+ result.add(new Object[] { "AES", "ECB", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "ECB", "PKCS5Padding",
Boolean.FALSE});
+
+ // Default for Tomcat 12 onwards
+ result.add(new Object[] { "AES", "GCM", "NoPadding", Boolean.TRUE});
+ // Not supported - GCM doesn't need (support?) padding
+ result.add(new Object[] { "AES", "GCM", "PKCS5Padding",
Boolean.FALSE});
+
+ // Not supported - KW not appropriate for encrypting cluster messages
+ result.add(new Object[] { "AES", "KW", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "KW", "PKCS5Padding", Boolean.FALSE});
+
+ // Not supported - KWP not appropriate for encrypting cluster messages
+ result.add(new Object[] { "AES", "KWP", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "KWP", "PKCS5Padding",
Boolean.FALSE});
+
+ // Not supported - NoPadding requires fixed block size and cluster
messages are variable length
+ result.add(new Object[] { "AES", "OFB", "NoPadding", Boolean.FALSE});
+
+ // Supported but not recommended - possible security issues in some
configurations - backwards compatibility
+ result.add(new Object[] { "AES", "OFB", "PKCS5Padding", Boolean.TRUE});
+
+ // Not supported - Insecure and/or slow
+ result.add(new Object[] { "AES", "OFB8", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "OFB8", "PKCS5Padding",
Boolean.FALSE});
+ result.add(new Object[] { "AES", "OFB16", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "OFB16", "PKCS5Padding",
Boolean.FALSE});
+ // large block sizes not tested but will be rejected as well
+
+ // Not supported - Insecure
+ result.add(new Object[] { "AES", "PCBC", "NoPadding", Boolean.FALSE});
+ result.add(new Object[] { "AES", "PCBC", "PKCS5Padding",
Boolean.FALSE});
+
+ return result;
+ }
+
+ @Parameter(0)
+ public String algorithm;
+
+ @Parameter(1)
+ public String mode;
+
+ @Parameter(2)
+ public String padding;
+
+ @Parameter(3)
+ public boolean shouldSucceed;
+
+ @Test
+ public void testAlgorithm() throws Exception {
+ if (shouldSucceed) {
+ doTestShouldSucceed();
+ } else {
+ doTestShouldNotSucceed();
+ }
+ }
+
+ private void doTestShouldSucceed() throws Exception {
+ String transformation = String.format("%s/%s/%s", algorithm, mode,
padding);
+
+ src.setEncryptionAlgorithm(transformation);
+ src.start(Channel.SND_TX_SEQ);
+ dest.setEncryptionAlgorithm(transformation);
+ dest.start(Channel.SND_TX_SEQ);
+
+ String testInput = "The quick brown fox jumps over the lazy dog.";
+
+ Assert.assertEquals("Failed in " + transformation + " mode",
+ testInput,
+ roundTrip(testInput, src, dest));
+ }
+
+ private void doTestShouldNotSucceed() throws Exception {
+ try {
+ String transformation = String.format("%s/%s/%s", algorithm, mode,
padding);
+ src.setEncryptionAlgorithm(transformation);
+ src.start(Channel.SND_TX_SEQ);
+
+ // start() should trigger IllegalArgumentException
+ Assert.fail(transformation + " mode is not being refused");
+ } catch (IllegalArgumentException iae) {
+ // Expected
+ }
+ }
+}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a17109b7f6..45de0a9f0a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -246,6 +246,10 @@
<bug>69970</bug>: Support raw IPv6 in Kubernetes membership provider
for the service host. (remm)
</fix>
+ <add>
+ Add support for new algorithms provided by JPA providers to the
+ <code>EncyptInterceptor</code>. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="WebSocket">
diff --git a/webapps/docs/config/cluster-interceptor.xml
b/webapps/docs/config/cluster-interceptor.xml
index 34ef33f0c9..090df4ffdd 100644
--- a/webapps/docs/config/cluster-interceptor.xml
+++ b/webapps/docs/config/cluster-interceptor.xml
@@ -214,18 +214,23 @@
</p>
<attributes>
<attribute name="encryptionAlgorithm" required="false">
- The encryption algorithm to be used, including the mode and padding.
Please see
+ <p>The encryption algorithm to be used, including the mode and padding.
+ Please see
<a
href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html";>https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html</a>
- for the standard JCA names that can be used.
+ for the standard JCA names that can be used. Algorithms from other JCA
+ providers are also supported.</p>
- EncryptInterceptor currently supports the following
+ <p>The EncryptInterceptor currently supports the following standard
<a
href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation";>block-cipher
modes</a>:
- CBC, OFB, CFB, and GCM.
+ CBC, CFB, OFB and GCM. Of these, it is recommended that GCM is always
+ used.</p>
- The length of the key will specify the flavor of the encryption
algorithm
- to be used, if applicable (e.g. AES-128 versus AES-256).
+ <p>The length of the key will specify the flavor of the encryption
+ algorithm to be used, if applicable (e.g. AES-128 versus AES-256).</p>
- The default algorithm is <code>AES/CBC/PKCS5Padding</code>.
+ <p>The default algorithm is <code>AES/CBC/PKCS5Padding</code> for
+ backwards compatability but it is recommended that
+ <code>AES/GCM/NoPadding</code> is used.</p>
</attribute>
<attribute name="encryptionKey" required="true">
The key to be used with the encryption algorithm.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
