[
https://issues.apache.org/jira/browse/DIRSERVER-1100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542938
]
Enrique Rodriguez commented on DIRSERVER-1100:
----------------------------------------------
I have this verified and fixed, with new test cases. I just need to get to
email to double-check where to commit it and to verify commit messages and CI.
> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.DesCbcCrcEncryption
> cannot decrypt the encryptiondata it generated.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1100
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1100
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos
> Reporter: Leo Li
> Assignee: Enrique Rodriguez
> Attachments: Directory_100.diff
>
>
> Here is an example:
> import javax.security.auth.kerberos.KerberosKey;
> import javax.security.auth.kerberos.KerberosPrincipal;
> import
> org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
> import
> org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
> import org.apache.directory.server.kerberos.shared.crypto.encryption.*;
> public static void main(String[] args) throws Exception{
> final char[] PASSWORD = "PASSWORD".toCharArray();
> KerberosKey key = new KerberosKey(new KerberosPrincipal("[EMAIL
> PROTECTED]"),PASSWORD, "DES");
> byte[] keyBytes = key.getEncoded();
> EncryptionKey encryptionKey = new
> EncryptionKey(EncryptionType.DES_CBC_CRC, keyBytes);
> byte[] plainText = {1,2,3,4,5,6,7};
> DesCbcCrcEncryption encryption = new DesCbcCrcEncryption();
> EncryptedData encryptionData =
> encryption.getEncryptedData(encryptionKey, plainText, KeyUsage.NUMBER1); // I
> am not sure of which KeyUsage should use here, but it is not referenced in
> source code. So I think any will work.
> encryption.getDecryptedData(encryptionKey, encryptionData,
> KeyUsage.NUMBER1);
> System.out.println("Succeed!");
> }
> But it fails with such complain:
> Exception in thread "main"
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
> Integrity check on decrypted field failed
> at
> org.apache.directory.server.kerberos.shared.crypto.encryption.DesCbcCrcEncryption.getDecryptedData(DesCbcCrcEncryption.java:113)
> at TestDESCBCCRC.main(TestDESCBCCRC.java:21)
> After I look a further into it, it is due to current implementation
> (r595192) there is two paddings in DesCbcCrcEncryption.getEncryptedData:
> LINE 126:
> byte[] paddedPlainText = padString( plainText );
> byte[] dataBytes = concatenateBytes( conFounder, concatenateBytes(
> zeroedChecksum, paddedPlainText ) );
> byte[] checksumBytes = calculateIntegrity( dataBytes, null, usage );
> byte[] paddedDataBytes = padString( dataBytes );
> But RFC 3961
> "One generates a random confounder of one block, placing it in
> 'confounder'; zeros out the 'checksum' field (of length appropriate
> to exactly hold the checksum to be computed); adds the necessary
> padding; calculates the appropriate checksum over the whole sequence,
> placing the result in 'checksum'; and then encrypts using the
> specified encryption type and the appropriate key."
> So the checksum should be calculated after all padding for encryption has
> finished.
> It seems that the same problem occurs in other Encryption classes.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
