[NETCONF-1217] Given final block not properly padded. Such issues can arise if a bad key is used during decryption Created: 05/Jan/24 Updated: 24/Jan/24 Resolved: 24/Jan/24 |
|
| Status: | Resolved |
| Project: | netconf |
| Component/s: | netconf |
| Affects Version/s: | None |
| Fix Version/s: | 7.0.0 |
| Type: | Bug | Priority: | Medium |
| Reporter: | Ivan Hrasko | Assignee: | Yaroslav Lastivka |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | pt | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Description |
|
Invoke PUT request to: http://192.168.56.25:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=17830-sim-device with payload:
{
"node": [
{
"node-id": "17830-sim-device",
"netconf-node-topology:login-password": {
"username": "admin",
"password": "Aw1Cnm3U99u7K4aJxEZGkA=="
},
"netconf-node-topology:schemaless": false,
"netconf-node-topology:port": 17830,
"netconf-node-topology:tcp-only": false,
"netconf-node-topology:keepalive-delay": 0,
"netconf-node-topology:host": "192.168.56.25"
}
]
}
You can see error in karaf console: 09:54:15.461 ERROR [opendaylight-cluster-data-notification-dispatcher-51] Failed to decrypt encoded data javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:862) ~[?:?] at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:942) ~[?:?] at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:735) ~[?:?] at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436) ~[?:?] at javax.crypto.Cipher.doFinal(Cipher.java:2205) ~[?:?] at org.opendaylight.aaa.encrypt.impl.AAAEncryptionServiceImpl.decrypt(AAAEncryptionServiceImpl.java:154) ~[?:?] at org.opendaylight.netconf.topology.spi.NetconfClientConfigurationBuilderFactoryImpl.setSshParametersFromCredentials(NetconfClientConfigurationBuilderFactoryImpl.java:106) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.NetconfClientConfigurationBuilderFactoryImpl.createClientConfigurationBuilder(NetconfClientConfigurationBuilderFactoryImpl.java:74) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.NetconfNodeHandler.<init>(NetconfNodeHandler.java:193) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.lockedEnsureNode(AbstractNetconfTopology.java:124) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.ensureNode(AbstractNetconfTopology.java:91) ~[bundleFile:?] at org.opendaylight.netconf.topology.impl.NetconfTopologyImpl.ensureNode(NetconfTopologyImpl.java:143) ~[?:?] at org.opendaylight.netconf.topology.impl.NetconfTopologyImpl.onDataTreeChanged(NetconfTopologyImpl.java:129) ~[?:?] at org.opendaylight.mdsal.binding.dom.adapter.BindingDOMDataTreeChangeListenerAdapter.onDataTreeChanged(BindingDOMDataTreeChangeListenerAdapter.java:44) ~[bundleFile:?] at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.dataTreeChanged(DataTreeChangeListenerActor.java:90) ~[bundleFile:?] at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.handleReceive(DataTreeChangeListenerActor.java:45) ~[bundleFile:?] at akka.japi.pf.UnitCaseStatement.apply(CaseStatements.scala:24) [bundleFile:?] at akka.japi.pf.UnitCaseStatement.apply(CaseStatements.scala:20) [bundleFile:?] at scala.PartialFunction.applyOrElse(PartialFunction.scala:214) [bundleFile:?] at scala.PartialFunction.applyOrElse$(PartialFunction.scala:213) [bundleFile:?] at akka.japi.pf.UnitCaseStatement.applyOrElse(CaseStatements.scala:20) [bundleFile:?] at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:269) [bundleFile:?] at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:270) [bundleFile:?] at akka.actor.Actor.aroundReceive(Actor.scala:537) [bundleFile:?] at akka.actor.Actor.aroundReceive$(Actor.scala:535) [bundleFile:?] at akka.actor.AbstractActor.aroundReceive(AbstractActor.scala:220) [bundleFile:?] at akka.actor.ActorCell.receiveMessage(ActorCell.scala:579) [bundleFile:?] at akka.actor.ActorCell.invoke(ActorCell.scala:547) [bundleFile:?] at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:270) [bundleFile:?] at akka.dispatch.Mailbox.run(Mailbox.scala:231) [bundleFile:?] at akka.dispatch.Mailbox.exec(Mailbox.scala:243) [bundleFile:?] at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373) [?:?] at java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182) [?:?] at java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655) [?:?] at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622) [?:?] at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165) [?:?] Note that the password when fails to decrypt is returned untouched, the revision on which bug is present is: fedba3cac1c141c2b2bfb61ccf8a5622977254d4 |
| Comments |
| Comment by Yaroslav Lastivka [ 11/Jan/24 ] |
|
The AAAEncryptionServiceImpl is configured to generate a new encryption key with each build of the application. This dynamic key generation presents a significant challenge: users are unable to update node user details via PUT requests, as they lack access to the current encryption key. This limitation hinders the ability to perform routine updates and maintenance through our API. |
| Comment by Yaroslav Lastivka [ 11/Jan/24 ] |
|
The Netconf user guide has been updated to recommend using 'login-password-unencrypted' as a replacement for 'login-password'. This change is reflected in the revision b8b4c4adf96d6f7f0e2c582b505fd7ea194bb3af. |
| Comment by Ivan Hrasko [ 24/Jan/24 ] |
|
Its a responsibility of the user to provide correctly encrypted password. See also |