Hello, When I don't encrypt the scratch codes, by leaving cas.authn.mfa.gauth.core.scratch-codes.encryption.key unset, backup recovery keys work fine. When I encrypt them then they seem to store fine but an exception is thrown when I try to use them.
2023-04-06 15:43:51,053 WARN [org.apereo.cas.util.function.FunctionUtils] - <EncryptionOperationNotPossibleException> org.jasypt.exceptions.EncryptionOperationNotPossibleException: null at org.jasypt.encryption.pbe.StandardPBEBigIntegerEncryptor.decrypt(StandardPBEBigIntegerEncryptor.java:586) ~[jasypt-1.9.3.jar!/:?] at org.jasypt.util.numeric.AES256IntegerNumberEncryptor.decrypt(AES256IntegerNumberEncryptor.java:116) ~[jasypt-1.9.3.jar!/:?] at org.apereo.cas.util.cipher.JasyptNumberCipherExecutor.decode(JasyptNumberCipherExecutor.java:45) ~[cas-server-core-util-api-6.6.1.jar!/:6.6.1] at org.apereo.cas.util.cipher.JasyptNumberCipherExecutor.decode(JasyptNumberCipherExecutor.java:19) ~[cas-server-core-util-api-6.6.1.jar!/:6.6.1] at org.apereo.cas.util.crypto.DecodableCipher.decode(DecodableCipher.java:37) ~[cas-server-core-api-util-6.6.1.jar!/:6.6.1] at org.apereo.cas.otp.repository.credentials.BaseOneTimeTokenCredentialRepository.lambda$decode$0(BaseOneTimeTokenCredentialRepository.java:69) It seems to throw one of these for each scratch code, suggesting it cannot decrypt them. Stepping through the code, the problem seems to first show up in NumberUtils.processBitIntegerEncrypted(): 71 System.arraycopy(byteArray, (initialSize - 4), encryptedMessageExpectedSizeBytes, 0, 4); encryptedMessageExpectedSizeBytes just ends up being [0,0,0,0]. I"m using cas.authn.mfa.gauth.core.scratch-codes.encryption.key=DTcyfU3VagtfbyxvmFOTM6N0tfeLUTuWlQy_R83GZIo My original source was using cas.authn.mfa.gauth.core.scratch-codes.encryption.key-size=256 but I saw another example with cas.authn.mfa.gauth.core.scratch-codes.encryption.key-size=16 But both seem to behave the same. I'm storing the codes in an Oracle database. And they look like: -45042011719129430758667059667890329945100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -79896184794635338776074275007870804906200000000000000000000000000000000000000000000000000000000000000000000000000000000000000 It seems like they have too much zero padding at the end? Anyone have any ideas? Thanks, Bill Baran -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/95c825a4-24b7-415e-9e3a-1fc6c971bcc9n%40apereo.org.