Andy, We just upgraded our test instance to 5.3.6 today and based on your findings ran a quick JMeter test. We also hit at least one of the exceptions already (and seemingly randomly):
javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. We plan to run more thorough tests on Monday but it does appear this is applicable more broadly. Jonathon On Thu, Nov 29, 2018 at 1:57 AM Andy Ng <[email protected]> wrote: > > Hi all, > > My server: > - Version: CAS 5.3.x > - Ticketing: Hazelcast > > Problem: > These few days I have been stress testing my CAS 5.3.x for production launch, > and I see that undergoes medium stress (1 req / seconds using JMeter), the > following errors will occurs randomly (~100 times 1 will occurs): > > Exception that I see are: > > java.lang.IllegalStateException: Cipher not initialized > javax.crypto.BadPaddingException: Given final block not properly padded. Such > issues can arise if a bad key is used during decryption. > javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 > when decrypting with padded cipher > > Research and possible solution: > I found that, for my server, it seems to be a problem in > BaseBinaryCipherExecutor.java, > this.aesCipher = Cipher.getInstance("AES"); is executed in the class > constructor instead of before this.aesCipher.init(Cipher.ENCRYPT_MODE, > this.encryptionKey);. > > And after changing the code to the following: > > @Override > @SneakyThrows > public byte[] encode(final byte[] value, final Object[] parameters) { > Cipher cipher = Cipher.getInstance("AES"); > cipher.init(Cipher.ENCRYPT_MODE, this.encryptionKey); > final byte[] result = cipher.doFinal(value); > return sign(result); > } > > > @Override > @SneakyThrows > public byte[] decode(final byte[] value, final Object[] parameters) { > final byte[] verifiedValue = verifySignature(value); > Cipher cipher = Cipher.getInstance("AES"); > cipher.init(Cipher.DECRYPT_MODE, this.encryptionKey); > final byte[] bytePlainText = cipher.doFinal(verifiedValue); > return bytePlainText; > } > > > My stress test yield much more consistent result. And no more Cipher error > exists anymore. > > > Question: > Before I submit a PR, I want to know if this is a problem only applicable to > me, or is applicable to other CAS 5.3.x servers. So I would like to ask: > > Have anybody else using 5.3.x, found the above Exception in their production > CAS logs? > If yes, are you using Hazelcast (I want to know if this problem extends > beyond Hazelcast) > > > Thanks and cheers! > - Andy > > > > > > > > > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/478e3787-f2f4-4f1d-84d1-cdff759b45d1%40apereo.org. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo9OQC%2BxaYnY17x0sqhNUTF7V-bxAUv%3Dk4mzP_0m5WBaCg%40mail.gmail.com.
