[ https://issues.apache.org/jira/browse/IGNITE-13583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Amelchev Nikita updated IGNITE-13583: ------------------------------------- Description: Need to check the current master key digest on the key change request. Concurrent key change produces unclear reject message in case: 1. The first thread creates a request but not send to the cluster. A request contains an encrypted MK name. 2. The second thread performs MK change. The cluster set a new MK. 3. The first thread sends a request but the cluster can't decrypt MK name with the new MK. The change request will be rejected with the message: {noformat} class org.apache.ignite.IgniteException: Master key change was rejected [nodeId=00e9fe88-d0c3-430a-93f4-27341ee8a000] at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1044) at org.apache.ignite.internal.util.distributed.DistributedProcess.lambda$new$2(DistributedProcess.java:149) at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.onDiscovery0(GridDiscoveryManager.java:722) at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.lambda$onDiscovery$0(GridDiscoveryManager.java:531) at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body0(GridDiscoveryManager.java:2696) at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body(GridDiscoveryManager.java:2734) at org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:120) at java.lang.Thread.run(Thread.java:748) Caused by: class org.apache.ignite.IgniteException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1185) at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.decryptKeyName(GridEncryptionManager.java:1251) at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1029) ... 7 more Caused by: class org.apache.ignite.spi.IgniteSpiException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:209) at org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:280) at org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:64) at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.lambda$decryptKeyName$10(GridEncryptionManager.java:1264) at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1182) ... 9 more Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446) at javax.crypto.Cipher.doFinal(Cipher.java:2222) at org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:205) ... 13 more {noformat} was: Need to check the current master key digest on the key change request. Concurrent key change produces unclear reject message in case: 1. The first thread creates a request but not send to the cluster. A request contains an encrypted MK name. 2. The second thread performs MK change. The cluster set a new MK. 3. The first thread sends a request but the cluster can't decrypt MK name within the new MK. The change request will be rejected with the message: {noformat} class org.apache.ignite.IgniteException: Master key change was rejected [nodeId=00e9fe88-d0c3-430a-93f4-27341ee8a000] at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1044) at org.apache.ignite.internal.util.distributed.DistributedProcess.lambda$new$2(DistributedProcess.java:149) at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.onDiscovery0(GridDiscoveryManager.java:722) at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.lambda$onDiscovery$0(GridDiscoveryManager.java:531) at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body0(GridDiscoveryManager.java:2696) at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body(GridDiscoveryManager.java:2734) at org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:120) at java.lang.Thread.run(Thread.java:748) Caused by: class org.apache.ignite.IgniteException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1185) at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.decryptKeyName(GridEncryptionManager.java:1251) at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1029) ... 7 more Caused by: class org.apache.ignite.spi.IgniteSpiException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:209) at org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:280) at org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:64) at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.lambda$decryptKeyName$10(GridEncryptionManager.java:1264) at org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1182) ... 9 more Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446) at javax.crypto.Cipher.doFinal(Cipher.java:2222) at org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:205) ... 13 more {noformat} > Check current master key digest on key change request > ----------------------------------------------------- > > Key: IGNITE-13583 > URL: https://issues.apache.org/jira/browse/IGNITE-13583 > Project: Ignite > Issue Type: Bug > Reporter: Amelchev Nikita > Assignee: Amelchev Nikita > Priority: Major > > Need to check the current master key digest on the key change request. > Concurrent key change produces unclear reject message in case: > 1. The first thread creates a request but not send to the cluster. A request > contains an encrypted MK name. > 2. The second thread performs MK change. The cluster set a new MK. > 3. The first thread sends a request but the cluster can't decrypt MK name > with the new MK. The change request will be rejected with the message: > {noformat} > class org.apache.ignite.IgniteException: Master key change was rejected > [nodeId=00e9fe88-d0c3-430a-93f4-27341ee8a000] > at > org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1044) > at > org.apache.ignite.internal.util.distributed.DistributedProcess.lambda$new$2(DistributedProcess.java:149) > at > org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.onDiscovery0(GridDiscoveryManager.java:722) > at > org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$4.lambda$onDiscovery$0(GridDiscoveryManager.java:531) > at > org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body0(GridDiscoveryManager.java:2696) > at > org.apache.ignite.internal.managers.discovery.GridDiscoveryManager$DiscoveryMessageNotifierWorker.body(GridDiscoveryManager.java:2734) > at > org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:120) > at java.lang.Thread.run(Thread.java:748) > Caused by: class org.apache.ignite.IgniteException: Given final block not > properly padded. Such issues can arise if a bad key is used during decryption. > at > org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1185) > at > org.apache.ignite.internal.managers.encryption.GridEncryptionManager.decryptKeyName(GridEncryptionManager.java:1251) > at > org.apache.ignite.internal.managers.encryption.GridEncryptionManager.prepareMasterKeyChange(GridEncryptionManager.java:1029) > ... 7 more > Caused by: class org.apache.ignite.spi.IgniteSpiException: Given final block > not properly padded. Such issues can arise if a bad key is used during > decryption. > at > org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:209) > at > org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:280) > at > org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decryptKey(KeystoreEncryptionSpi.java:64) > at > org.apache.ignite.internal.managers.encryption.GridEncryptionManager.lambda$decryptKeyName$10(GridEncryptionManager.java:1264) > at > org.apache.ignite.internal.managers.encryption.GridEncryptionManager.withMasterKeyChangeReadLock(GridEncryptionManager.java:1182) > ... 9 more > Caused by: javax.crypto.BadPaddingException: Given final block not properly > padded. Such issues can arise if a bad key is used during decryption. > at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) > at > com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) > at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446) > at javax.crypto.Cipher.doFinal(Cipher.java:2222) > at > org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi.decrypt(KeystoreEncryptionSpi.java:205) > ... 13 more > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005)