[
https://issues.apache.org/jira/browse/IGNITE-13583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Amelchev Nikita updated IGNITE-13583:
-------------------------------------
Description:
Need to check the current master key digest on the key change request.
Concurrent key change produces unclear reject message in case:
1. The first thread creates a request but not send to the cluster. A request
contains an encrypted MK name.
2. The second thread performs MK change. The cluster set a new MK.
3. The first thread sends a request but the cluster can't decrypt MK name with
the new MK. The change request will be rejected with the message:
{noformat}
class org.apache.ignite.IgniteException: Master key change was rejected
[nodeId=00e9fe88-d0c3-430a-93f4-27341ee8a000]
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1044)
at
org.apache.ignite.internal.util.distributed.DistributedProcess.lambda$new$2(DistributedProcess.java:149)
at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.onDiscovery0(GridDiscoveryManager.java:722)
at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.lambda$onDiscovery$0(GridDiscoveryManager.java:531)
at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body0(GridDiscoveryManager.java:2696)
at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body(GridDiscoveryManager.java:2734)
at
org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:120)
at java.lang.Thread.run(Thread.java:748)
Caused by: class org.apache.ignite.IgniteException: Given final block not
properly padded. Such issues can arise if a bad key is used during decryption.
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1185)
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.decryptKeyName(GridEncryptionManager.java:1251)
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1029)
... 7 more
Caused by: class org.apache.ignite.spi.IgniteSpiException: Given final block
not properly padded. Such issues can arise if a bad key is used during
decryption.
at
org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:209)
at
org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:280)
at
org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:64)
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.lambda$decryptKeyName$10(GridEncryptionManager.java:1264)
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1182)
... 9 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption.
at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
at
com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
at javax.crypto.Cipher.doFinal(Cipher.java:2222)
at
org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:205)
... 13 more
{noformat}
was:
Need to check the current master key digest on the key change request.
Concurrent key change produces unclear reject message in case:
1. The first thread creates a request but not send to the cluster. A request
contains an encrypted MK name.
2. The second thread performs MK change. The cluster set a new MK.
3. The first thread sends a request but the cluster can't decrypt MK name
within the new MK. The change request will be rejected with the message:
{noformat}
class org.apache.ignite.IgniteException: Master key change was rejected
[nodeId=00e9fe88-d0c3-430a-93f4-27341ee8a000]
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1044)
at
org.apache.ignite.internal.util.distributed.DistributedProcess.lambda$new$2(DistributedProcess.java:149)
at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.onDiscovery0(GridDiscoveryManager.java:722)
at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.lambda$onDiscovery$0(GridDiscoveryManager.java:531)
at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body0(GridDiscoveryManager.java:2696)
at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body(GridDiscoveryManager.java:2734)
at
org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:120)
at java.lang.Thread.run(Thread.java:748)
Caused by: class org.apache.ignite.IgniteException: Given final block not
properly padded. Such issues can arise if a bad key is used during decryption.
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1185)
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.decryptKeyName(GridEncryptionManager.java:1251)
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1029)
... 7 more
Caused by: class org.apache.ignite.spi.IgniteSpiException: Given final block
not properly padded. Such issues can arise if a bad key is used during
decryption.
at
org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:209)
at
org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:280)
at
org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:64)
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.lambda$decryptKeyName$10(GridEncryptionManager.java:1264)
at
org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1182)
... 9 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption.
at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
at
com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
at javax.crypto.Cipher.doFinal(Cipher.java:2222)
at
org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:205)
... 13 more
{noformat}
> Check current master key digest on key change request
> -----------------------------------------------------
>
> Key: IGNITE-13583
> URL: https://issues.apache.org/jira/browse/IGNITE-13583
> Project: Ignite
> Issue Type: Bug
> Reporter: Amelchev Nikita
> Assignee: Amelchev Nikita
> Priority: Major
>
> Need to check the current master key digest on the key change request.
> Concurrent key change produces unclear reject message in case:
> 1. The first thread creates a request but not send to the cluster. A request
> contains an encrypted MK name.
> 2. The second thread performs MK change. The cluster set a new MK.
> 3. The first thread sends a request but the cluster can't decrypt MK name
> with the new MK. The change request will be rejected with the message:
> {noformat}
> class org.apache.ignite.IgniteException: Master key change was rejected
> [nodeId=00e9fe88-d0c3-430a-93f4-27341ee8a000]
> at
> org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1044)
> at
> org.apache.ignite.internal.util.distributed.DistributedProcess.lambda$new$2(DistributedProcess.java:149)
> at
> org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.onDiscovery0(GridDiscoveryManager.java:722)
> at
> org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.lambda$onDiscovery$0(GridDiscoveryManager.java:531)
> at
> org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body0(GridDiscoveryManager.java:2696)
> at
> org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body(GridDiscoveryManager.java:2734)
> at
> org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:120)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: class org.apache.ignite.IgniteException: Given final block not
> properly padded. Such issues can arise if a bad key is used during decryption.
> at
> org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1185)
> at
> org.apache.ignite.internal.managers.encryption.GridEncryptionManager.decryptKeyName(GridEncryptionManager.java:1251)
> at
> org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1029)
> ... 7 more
> Caused by: class org.apache.ignite.spi.IgniteSpiException: Given final block
> not properly padded. Such issues can arise if a bad key is used during
> decryption.
> at
> org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:209)
> at
> org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:280)
> at
> org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:64)
> at
> org.apache.ignite.internal.managers.encryption.GridEncryptionManager.lambda$decryptKeyName$10(GridEncryptionManager.java:1264)
> at
> org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1182)
> ... 9 more
> Caused by: javax.crypto.BadPaddingException: Given final block not properly
> padded. Such issues can arise if a bad key is used during decryption.
> at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
> at
> com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
> at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
> at javax.crypto.Cipher.doFinal(Cipher.java:2222)
> at
> org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:205)
> ... 13 more
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
