Benjamin Marwell created SHIRO-736:
--------------------------------------
Summary: DefaultCipherInstance is an alias which is not available
in every JVM or JCA Provider
Key: SHIRO-736
URL: https://issues.apache.org/jira/browse/SHIRO-736
Project: Shiro
Issue Type: Bug
Components: Cryptography & Hashing
Affects Versions: 1.4.2, 1.5.0
Reporter: Benjamin Marwell
Dear all,
h2. Problem Description
the default cipher instance for the RememberMe Manager is set in the
AbstractRememberMeManager's constructor:
{{AesCipherService cipherService = new AesCipherService();}}
Now, AesCipherService sets the Algorithm to AES and OperationMode to GCM in its
constructor, but it inherits it's parents PaddingMode. Since the parent is
"DefaultBlockCipherService" which is a block cipher service (as the name
suggests), a padding is set and defaults to PKCS5.
This results in the method call {{javax.crypto.Cipher.getInstance(
"AES/GCM/PKCS5Padding" )}}. Most JVMs can handle this well and will use
{{javax.crypto.Cipher.getInstance( "AES/GCM/NoPadding" )}} internally, but some
do not, because Padding with a streaming cipher does not seem specified.
Therefore, the default shiro setup will not work on such JVMs, which is a
regression:
{{java.security.NoSuchAlgorithmException: Cannot find any provider supporting
AES/GCM/PKCS5Padding}}
h2. Workarounds
Use this configuration in {{shiro.ini}}.
Note that you would not gain from security updates this way which is a big
drawback!
{code:java}
cipherService = org.apache.shiro.crypto.AesCipherService
cipherService.paddingSchemeName = NoPadding
securityManager.rememberMeManager.cipherService = $cipherService {code}
h2. Proposed Solution
In {{AesCipherService}}, add this line to the constructor:
{{setPaddingMode(PaddingMode.NONE.getTransformationName());}}
h2. Affected Versions
I also added 1.5.0 as affected, becaue I guess it might not make it. Remove
this version from the affected versions list if applicable.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
