github-advanced-security[bot] commented on code in PR #1241:
URL: https://github.com/apache/syncope/pull/1241#discussion_r2537100840
##########
core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultEncryptor.java:
##########
@@ -43,33 +44,51 @@
protected static final Logger LOG =
LoggerFactory.getLogger(DefaultEncryptor.class);
- protected static final String DEFAULT_SECRET_KEY =
"1abcdefghilmnopqrstuvz2!";
-
protected final Map<CipherAlgorithm, StandardStringDigester> digesters =
new ConcurrentHashMap<>();
- protected SecretKeySpec keySpec;
+ protected final Optional<SecretKeySpec> aesKeySpec;
- protected DefaultEncryptor(final String secretKey) {
- String actualKey = secretKey;
- if (actualKey.length() < 16) {
- StringBuilder actualKeyPadding = new StringBuilder(actualKey);
- int length = 16 - actualKey.length();
- String randomChars =
SecureRandomUtils.generateRandomPassword(length);
+ protected DefaultEncryptor(final String aesSecretKey) {
+ SecretKeySpec sks = null;
- actualKeyPadding.append(randomChars);
- actualKey = actualKeyPadding.toString();
- LOG.warn("The secret key is too short (< 16), adding some random
characters. "
- + "Passwords encrypted with AES and this key will not be
recoverable "
- + "as a result if the container is restarted.");
- }
+ if (StringUtils.isNotBlank(aesSecretKey)) {
+ String actualKey = aesSecretKey;
- try {
- keySpec = new SecretKeySpec(ArrayUtils.subarray(
- actualKey.getBytes(StandardCharsets.UTF_8), 0, 16),
- CipherAlgorithm.AES.getAlgorithm());
- } catch (Exception e) {
- LOG.error("Error during key specification", e);
+ Integer pad = null;
+ boolean truncate = false;
+ if (actualKey.length() < 16) {
+ pad = 16 - actualKey.length();
+ } else if (actualKey.length() > 16 && actualKey.length() < 24) {
+ pad = 24 - actualKey.length();
+ } else if (actualKey.length() > 24 && actualKey.length() < 32) {
+ pad = 32 - actualKey.length();
+ } else if (actualKey.length() > 32) {
+ truncate = true;
+ }
+
+ if (pad != null) {
+ StringBuilder actualKeyPadding = new StringBuilder(actualKey);
+ String randomChars =
SecureRandomUtils.generateRandomPassword(pad);
+
+ actualKeyPadding.append(randomChars);
+ actualKey = actualKeyPadding.toString();
+ LOG.warn("The configured AES secret key is too short (< {}),
padding with random chars: {}",
+ actualKey.length(), actualKey);
+ }
+ if (truncate) {
+ actualKey = actualKey.substring(0, 32);
+ LOG.warn("The configured AES secret key is too long (> 32),
truncating: {}", actualKey);
Review Comment:
## Insertion of sensitive information into log files
This [potentially sensitive information](1) is written to a log file.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/2358)
##########
core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultEncryptor.java:
##########
@@ -43,33 +44,51 @@
protected static final Logger LOG =
LoggerFactory.getLogger(DefaultEncryptor.class);
- protected static final String DEFAULT_SECRET_KEY =
"1abcdefghilmnopqrstuvz2!";
-
protected final Map<CipherAlgorithm, StandardStringDigester> digesters =
new ConcurrentHashMap<>();
- protected SecretKeySpec keySpec;
+ protected final Optional<SecretKeySpec> aesKeySpec;
- protected DefaultEncryptor(final String secretKey) {
- String actualKey = secretKey;
- if (actualKey.length() < 16) {
- StringBuilder actualKeyPadding = new StringBuilder(actualKey);
- int length = 16 - actualKey.length();
- String randomChars =
SecureRandomUtils.generateRandomPassword(length);
+ protected DefaultEncryptor(final String aesSecretKey) {
+ SecretKeySpec sks = null;
- actualKeyPadding.append(randomChars);
- actualKey = actualKeyPadding.toString();
- LOG.warn("The secret key is too short (< 16), adding some random
characters. "
- + "Passwords encrypted with AES and this key will not be
recoverable "
- + "as a result if the container is restarted.");
- }
+ if (StringUtils.isNotBlank(aesSecretKey)) {
+ String actualKey = aesSecretKey;
- try {
- keySpec = new SecretKeySpec(ArrayUtils.subarray(
- actualKey.getBytes(StandardCharsets.UTF_8), 0, 16),
- CipherAlgorithm.AES.getAlgorithm());
- } catch (Exception e) {
- LOG.error("Error during key specification", e);
+ Integer pad = null;
+ boolean truncate = false;
+ if (actualKey.length() < 16) {
+ pad = 16 - actualKey.length();
+ } else if (actualKey.length() > 16 && actualKey.length() < 24) {
+ pad = 24 - actualKey.length();
+ } else if (actualKey.length() > 24 && actualKey.length() < 32) {
+ pad = 32 - actualKey.length();
+ } else if (actualKey.length() > 32) {
+ truncate = true;
+ }
+
+ if (pad != null) {
+ StringBuilder actualKeyPadding = new StringBuilder(actualKey);
+ String randomChars =
SecureRandomUtils.generateRandomPassword(pad);
+
+ actualKeyPadding.append(randomChars);
+ actualKey = actualKeyPadding.toString();
+ LOG.warn("The configured AES secret key is too short (< {}),
padding with random chars: {}",
+ actualKey.length(), actualKey);
Review Comment:
## Insertion of sensitive information into log files
This [potentially sensitive information](1) is written to a log file.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/2357)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
