[AAA-119] Bad padding in encrypted data Created: 23/Mar/17  Updated: 21/Mar/19  Resolved: 05/May/17

Status: Verified
Project: aaa
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Robert Varga Assignee: Mohamed ElSerngawy
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Issue Links:
Duplicate
is duplicated by NETCONF-398 Carbon: odl respond with http status ... Resolved
External issue ID: 8062

 Description   

We are observing the following error being reported:

2017-03-21 14:11:33,701 | ERROR | rint Extender: 1 | AAAEncryptionServiceImpl | 254 - org.opendaylight.aaa.encrypt-service - 0.5.0.SNAPSHOT | Failed to decrypt encoded data
javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:989)[sunjce_provider.jar:1.8.0_121]
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:845)[sunjce_provider.jar:1.8.0_121]
at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)[sunjce_provider.jar:1.8.0_121]
at javax.crypto.Cipher.doFinal(Cipher.java:2165)[:1.8.0_121]
at org.opendaylight.aaa.encrypt.AAAEncryptionServiceImpl.decrypt(AAAEncryptionServiceImpl.java:177)
at Proxy30160d6d_0546_4891_a131_16737b6389a1.decrypt(Unknown Source)
at Proxy40769118_0fde_4458_b445_8af7014cf01f.decrypt(Unknown Source)
at org.opendaylight.aaa.cert.utils.KeyStoresDataUtils.decryptOdlKeyStore(KeyStoresDataUtils.java:157)[257:org.opendaylight.aaa.cert:0.5.0.SNAPSHOT]
at org.opendaylight.aaa.cert.utils.KeyStoresDataUtils.decryptSslData(KeyStoresDataUtils.java:167)[257:org.opendaylight.aaa.cert:0.5.0.SNAPSHOT]
at org.opendaylight.aaa.cert.utils.KeyStoresDataUtils.getSslData(KeyStoresDataUtils.java:205)[257:org.opendaylight.aaa.cert:0.5.0.SNAPSHOT]
at org.opendaylight.aaa.cert.impl.AaaCertMdsalProvider.getSslData(AaaCertMdsalProvider.java:175)
at org.opendaylight.aaa.cert.impl.DefaultMdsalSslData.createKeyStores(DefaultMdsalSslData.java:144)
at org.opendaylight.aaa.cert.impl.CertificateManagerService.<init>(CertificateManagerService.java:91)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)[:1.8.0_121]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)[:1.8.0_121]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)[:1.8.0_121]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)[:1.8.0_121]
at org.apache.aries.blueprint.utils.ReflectionUtils.newInstance(ReflectionUtils.java:331)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BeanRecipe.newInstance(BeanRecipe.java:984)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BeanRecipe.getInstanceFromType(BeanRecipe.java:349)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BeanRecipe.getInstance(BeanRecipe.java:282)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BeanRecipe.internalCreate2(BeanRecipe.java:830)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BeanRecipe.internalCreate(BeanRecipe.java:811)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.di.AbstractRecipe$1.call(AbstractRecipe.java:79)[15:org.apache.aries.blueprint.core:1.6.1]
at java.util.concurrent.FutureTask.run(FutureTask.java:266)[:1.8.0_121]
at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:88)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.di.RefRecipe.internalCreate(RefRecipe.java:62)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:106)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.ServiceRecipe.createService(ServiceRecipe.java:285)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.ServiceRecipe.internalGetService(ServiceRecipe.java:252)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.ServiceRecipe.internalCreate(ServiceRecipe.java:149)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.di.AbstractRecipe$1.call(AbstractRecipe.java:79)[15:org.apache.aries.blueprint.core:1.6.1]
at java.util.concurrent.FutureTask.run(FutureTask.java:266)[:1.8.0_121]
at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:88)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BlueprintRepository.createInstances(BlueprintRepository.java:255)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BlueprintRepository.createAll(BlueprintRepository.java:186)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BlueprintContainerImpl.instantiateEagerComponents(BlueprintContainerImpl.java:724)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BlueprintContainerImpl.doRun(BlueprintContainerImpl.java:411)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.container.BlueprintContainerImpl.run(BlueprintContainerImpl.java:276)[15:org.apache.aries.blueprint.core:1.6.1]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)[:1.8.0_121]
at java.util.concurrent.FutureTask.run(FutureTask.java:266)[:1.8.0_121]
at org.apache.aries.blueprint.container.ExecutorServiceWrapper.run(ExecutorServiceWrapper.java:106)[15:org.apache.aries.blueprint.core:1.6.1]
at org.apache.aries.blueprint.utils.threading.impl.DiscardableRunnable.run(DiscardableRunnable.java:48)[15:org.apache.aries.blueprint.core:1.6.1]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)[:1.8.0_121]
at java.util.concurrent.FutureTask.run(FutureTask.java:266)[:1.8.0_121]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)[:1.8.0_121]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)[:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)[:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)[:1.8.0_121]
at java.lang.Thread.run(Thread.java:745)[:1.8.0_121]

This looks to be a problem with how we encrypt the data. Otherwise, if this is something that is expected, the severity should be lowered accordingly.

 Comments   
Comment by Tomas Cere [ 31/Mar/17 ]

seems like we encouter this in netconf jobs resulting in 401 restconf responses on certain requests

https://logs.opendaylight.org/releng/jenkins092/netconf-csit-3node-clustering-only-carbon/474/archives/odl3_karaf.log.gz

Comment by Vratko Polak [ 12/Apr/17 ]

Possible duplicates, may contain more details on how to reproduce:
AAA-117 CONTROLLER-1632 NETCONF-398.

Especially this [0] comments contains some technical explanations.

[0] https://bugs.opendaylight.org/show_bug.cgi?id=8206#c6

Comment by Viera Zelcamova [ 18/Apr/17 ]

Hi Ryan,
wanted to ask you if you are working on this bug and when is aprox time to be fixed?
Thank you.

Comment by Ryan Goulding [ 18/Apr/17 ]

Candidate Patch in Progress:

https://git.opendaylight.org/gerrit/#/c/55126/

For a timeline, hopefully by tomorrow at latest. If this candidate patch doesn't pan out, there is an easier fix we have considered which can alleviate this bug from happening, but it is the less preferred approach.

Comment by Ryan Goulding [ 18/Apr/17 ]

Candidate Patch in Progress:

https://git.opendaylight.org/gerrit/#/c/55126/

For a timeline, hopefully by tomorrow at latest. If this candidate patch doesn't pan out, there is an easier fix we have considered which can alleviate this bug from happening, but it is the less preferred approach.

Comment by Mohamed ElSerngawy [ 18/Apr/17 ]

the patch at https://git.opendaylight.org/gerrit/#/c/55126/ fixing the issue. encryption service initial config are now written to the datastore. all the cluster nodes have the same initial config data.

Comment by Vratko Polak [ 21/Apr/17 ]

The Carbon fix [1] is not passing its verify job, so it is still not merged.

[1] https://git.opendaylight.org/gerrit/55171

Comment by Ryan Goulding [ 21/Apr/17 ]

Blocked by unrelated bug about to be merged:

8261

Should be good after that!

Comment by Viera Zelcamova [ 24/Apr/17 ]

Hi Ryan, any update on this?
Thank you.

Comment by Ryan Goulding [ 27/Apr/17 ]

This was hardcoded through 8313:

https://git.opendaylight.org/gerrit/#/c/56094/

Shouldn't be an issue for Carbon. Will revisit as an enhancement in 8315 in Nitrogen. Closing for now.

Comment by Vratko Polak [ 05/May/17 ]

VERIFIED, the error no longer appears in karaf.log

Generated at Wed Feb 07 19:08:41 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.