[jira] [Updated] (SHIRO-736) DefaultCipherInstance is an alias which is not available in every JVM or JCA Provider
[
https://issues.apache.org/jira/browse/SHIRO-736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francois Papon updated SHIRO-736:
-
Fix Version/s: (was: 1.5.0)
1.5.1
> DefaultCipherInstance is an alias which is not available in every JVM or JCA
> Provider
> -
>
> Key: SHIRO-736
> URL: https://issues.apache.org/jira/browse/SHIRO-736
> Project: Shiro
> Issue Type: Bug
> Components: Cryptography Hashing
>Affects Versions: 1.4.2, 1.5.0
>Reporter: Benjamin Marwell
>Priority: Major
> Labels: default, exceptions, regression, security
> Fix For: 1.5.1
>
> Original Estimate: 1h
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Dear all,
> h2. Problem Description
> the default cipher instance for the RememberMe Manager is set in the
> AbstractRememberMeManager's constructor:
> {{AesCipherService cipherService = new AesCipherService();}}
> Now, AesCipherService sets the Algorithm to AES and OperationMode to GCM in
> its constructor, but it inherits it's parents PaddingMode. Since the parent
> is "DefaultBlockCipherService" which is a block cipher service (as the name
> suggests), a padding is set and defaults to PKCS5.
> This results in the method call {{javax.crypto.Cipher.getInstance(
> "AES/GCM/PKCS5Padding" )}}. Most JVMs can handle this well and will use
> {{javax.crypto.Cipher.getInstance( "AES/GCM/NoPadding" )}} internally, but
> some do not, because Padding with a streaming cipher does not seem specified.
>
> Therefore, the default shiro setup will not work on such JVMs, which is a
> regression:
> {{java.security.NoSuchAlgorithmException: Cannot find any provider supporting
> AES/GCM/PKCS5Padding}}
>
> h2. Workarounds
> Use this configuration in {{shiro.ini}}.
> Note that you would not gain from security updates this way which is a big
> drawback!
> {code:java}
> cipherService = org.apache.shiro.crypto.AesCipherService
> cipherService.paddingSchemeName = NoPadding
> securityManager.rememberMeManager.cipherService = $cipherService {code}
>
> h2. Proposed Solution
> In {{AesCipherService}}, add this line to the constructor:
> {{setPaddingMode(PaddingMode.NONE.getTransformationName());}}
>
> h2. Affected Versions
> I also added 1.5.0 as affected, becaue I guess it might not make it. Remove
> this version from the affected versions list if applicable.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SHIRO-736) DefaultCipherInstance is an alias which is not available in every JVM or JCA Provider
[
https://issues.apache.org/jira/browse/SHIRO-736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benjamin Marwell updated SHIRO-736:
---
Labels: default exceptions regression security (was: default exceptions
security)
> DefaultCipherInstance is an alias which is not available in every JVM or JCA
> Provider
> -
>
> Key: SHIRO-736
> URL: https://issues.apache.org/jira/browse/SHIRO-736
> Project: Shiro
> Issue Type: Bug
> Components: Cryptography Hashing
>Affects Versions: 1.4.2, 1.5.0
>Reporter: Benjamin Marwell
>Priority: Major
> Labels: default, exceptions, regression, security
> Fix For: 1.5.0
>
> Original Estimate: 1h
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Dear all,
> h2. Problem Description
> the default cipher instance for the RememberMe Manager is set in the
> AbstractRememberMeManager's constructor:
> {{AesCipherService cipherService = new AesCipherService();}}
> Now, AesCipherService sets the Algorithm to AES and OperationMode to GCM in
> its constructor, but it inherits it's parents PaddingMode. Since the parent
> is "DefaultBlockCipherService" which is a block cipher service (as the name
> suggests), a padding is set and defaults to PKCS5.
> This results in the method call {{javax.crypto.Cipher.getInstance(
> "AES/GCM/PKCS5Padding" )}}. Most JVMs can handle this well and will use
> {{javax.crypto.Cipher.getInstance( "AES/GCM/NoPadding" )}} internally, but
> some do not, because Padding with a streaming cipher does not seem specified.
>
> Therefore, the default shiro setup will not work on such JVMs, which is a
> regression:
> {{java.security.NoSuchAlgorithmException: Cannot find any provider supporting
> AES/GCM/PKCS5Padding}}
>
> h2. Workarounds
> Use this configuration in {{shiro.ini}}.
> Note that you would not gain from security updates this way which is a big
> drawback!
> {code:java}
> cipherService = org.apache.shiro.crypto.AesCipherService
> cipherService.paddingSchemeName = NoPadding
> securityManager.rememberMeManager.cipherService = $cipherService {code}
>
> h2. Proposed Solution
> In {{AesCipherService}}, add this line to the constructor:
> {{setPaddingMode(PaddingMode.NONE.getTransformationName());}}
>
> h2. Affected Versions
> I also added 1.5.0 as affected, becaue I guess it might not make it. Remove
> this version from the affected versions list if applicable.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SHIRO-736) DefaultCipherInstance is an alias which is not available in every JVM or JCA Provider
[
https://issues.apache.org/jira/browse/SHIRO-736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated SHIRO-736:
--
Fix Version/s: 1.5.0
> DefaultCipherInstance is an alias which is not available in every JVM or JCA
> Provider
> -
>
> Key: SHIRO-736
> URL: https://issues.apache.org/jira/browse/SHIRO-736
> Project: Shiro
> Issue Type: Bug
> Components: Cryptography Hashing
>Affects Versions: 1.4.2, 1.5.0
>Reporter: Benjamin Marwell
>Priority: Major
> Labels: default, exceptions, security
> Fix For: 1.5.0
>
> Original Estimate: 1h
> Time Spent: 10m
> Remaining Estimate: 50m
>
> Dear all,
> h2. Problem Description
> the default cipher instance for the RememberMe Manager is set in the
> AbstractRememberMeManager's constructor:
> {{AesCipherService cipherService = new AesCipherService();}}
> Now, AesCipherService sets the Algorithm to AES and OperationMode to GCM in
> its constructor, but it inherits it's parents PaddingMode. Since the parent
> is "DefaultBlockCipherService" which is a block cipher service (as the name
> suggests), a padding is set and defaults to PKCS5.
> This results in the method call {{javax.crypto.Cipher.getInstance(
> "AES/GCM/PKCS5Padding" )}}. Most JVMs can handle this well and will use
> {{javax.crypto.Cipher.getInstance( "AES/GCM/NoPadding" )}} internally, but
> some do not, because Padding with a streaming cipher does not seem specified.
>
> Therefore, the default shiro setup will not work on such JVMs, which is a
> regression:
> {{java.security.NoSuchAlgorithmException: Cannot find any provider supporting
> AES/GCM/PKCS5Padding}}
>
> h2. Workarounds
> Use this configuration in {{shiro.ini}}.
> Note that you would not gain from security updates this way which is a big
> drawback!
> {code:java}
> cipherService = org.apache.shiro.crypto.AesCipherService
> cipherService.paddingSchemeName = NoPadding
> securityManager.rememberMeManager.cipherService = $cipherService {code}
>
> h2. Proposed Solution
> In {{AesCipherService}}, add this line to the constructor:
> {{setPaddingMode(PaddingMode.NONE.getTransformationName());}}
>
> h2. Affected Versions
> I also added 1.5.0 as affected, becaue I guess it might not make it. Remove
> this version from the affected versions list if applicable.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
