dsyer / spring-security-rsa Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
spring-security-rsa's Issues
Update to Bouncycastle 1.78
Background
Compile dependency bcprov-jdk18on 1.77 has a recently published CVE.
Please upgrade dependency bcprov-jdk18on to 1.78 or above in spring-security-rsa.
Related tickets:
Is this going to be an official project?
Hi
Do you have a plan to promote spring-security-rsa to spring-security's project?
This project is used by spring-cloud-common.
I wonder why this is not under the spring-security.
I would like to use official RsaSecretEncryptor.
I hope this project to be managed by Spring IO Platform.
RSA Raw encryptor not able to decrypt its own encrypted text
Hello, I'm using spring-security-rsa version 1.0.9.RELEASE with Spring boot 2.2.2 but I'm unable to successfully encrypt and decrypt a simple string using the RsaRawEncryptor while using RsaSecretEncryptor it works correctly. This are my two test encryptors:
@Bean
@ConditionalOnProperty(prefix = "cipher.key", name = "private-key")
public TextEncryptor textEncryptor() {
log.info("Private key provided in properties file to encrypt text");
return new RsaSecretEncryptor(keyProperties.getPrivateKey());
}
@Bean("raw")
@ConditionalOnProperty(prefix = "cipher.key", name = "private-key")
public TextEncryptor textRawEncryptor() {
log.info("Private key provided in properties file to encrypt text");
return new RsaRawEncryptor(keyProperties.getPrivateKey());
}
And this is my simple test:
@Test
public void encryptorTest() {
String test = "test";
String encrypted = textEncryptor.encrypt(test);
String decrypted = textEncryptor.decrypt(encrypted);
assertEquals(test, decrypted);
}
Now if I inject the default encryptor (the RsaSecretEncryptor one) into my code the test passes, however, if I inject the RsaRawEncryptor one I get the following exception:
java.lang.IllegalStateException: Cannot decrypt
at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:160)
at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:113)
at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:102)
at com.test.encryptorTest(EncryptorTest.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.springframework.test.context.junit4.statements.RunBeforeTestExecutionCallbacks.evaluate(RunBeforeTestExecutionCallbacks.java:74)
at org.springframework.test.context.junit4.statements.RunAfterTestExecutionCallbacks.evaluate(RunAfterTestExecutionCallbacks.java:84)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)
at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)
at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:251)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:97)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:190)
at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:230)
at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:58)
Caused by: javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:383)
at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:294)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:389)
at javax.crypto.Cipher.doFinal(Cipher.java:2047)
at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:151)
... 34 more
Shouldn't both work well with the same keypair?
Enhancement: Configurable keystore type
I found the keystore.type "jks" hard coded in the KeyStoreKeyFactory.getKeyPair(..) method. Is it possible to make the keystore.type configurable?
For example via the existing:
encrypt:
__keyStore:
____type: "jceks"
Add support for OAEP padding
Update bouncycastle version to 1.59
Please update bouncycastle version to 1.59
Add support for AES/GCM (via Spring Security Crypto)
Using "bcpkix" dependency is more than needed
All the usages of bouncycastle classes are in the "bcprov" lib, so using "bcpkix" is more than needed.
Update bouncycastle
Latest Version of bcpkix-jdk15on is 1.70 (currently 1.69 is used):
But apparently it is time to switch to bcpkix-jdk18on, because bouncy castle compiles for java8 in its pom anyway. bcpkix-jdk18on seems to be better maintained.
CVE-2023-33201 - bcprov-jdk15on
At the moment if we look into spring-cloud-sleuth dependency tree we would have something like this.
A CVE was created related to the bcprov-jdk15on version.
I reached out to their team and this dependency was split.
I would love it if you guys took this into consideration since bcprov-jdk15on is no longer supported.
Thank you!
Base64 exception
I am using openssl:
openssl genrsa -out private.pem 1024
to generate rsa private key. And then read the file to create RsaRawEncryptor object, but it throw a exception:
Exception in thread "main" java.lang.IllegalArgumentException: Illegal base64 character a
at java.util.Base64$Decoder.decode0(Base64.java:714)
at java.util.Base64$Decoder.decode(Base64.java:526)
at org.springframework.util.Base64Utils.decode(Base64Utils.java:59)
at org.springframework.security.rsa.crypto.RsaKeyHelper.base64Decode(RsaKeyHelper.java:133)
at org.springframework.security.rsa.crypto.RsaKeyHelper.parseKeyPair(RsaKeyHelper.java:78)
at org.springframework.security.rsa.crypto.RsaRawEncryptor.<init>(RsaRawEncryptor.java:67)
at com.mofeng.admin.util.RsaUtils.<init>(RsaUtils.java:29)
at com.mofeng.admin.util.RsaUtils.main(RsaUtils.java:48)
With the help of search engine, i find the reason:
java.util.Base64 can not support the content contain newline.
But the format of private key file seen like:
-----BEGIN RSA PRIVATE KEY-----
something......\n
something......\n
......
-----END RSA PRIVATE KEY-----
if the developer did not modify the file content, it will contain newline.
I solve this problem by:
pemData = pemData.replaceAll("[\n|\r]", "");
But i think load the native file is a common usage. It is best to handle this situation.
Move to spring related org/project
Since this is a required dependency of spring-cloud-commons.
Critical vulnerabilities brought by Bouncycastle 1.64
hi,
I'm using spring-cloud-starter which brings spring-security-rsa-1.0.9.RELEASE component
which in turns depends on bcprov-jdk15on-1.64
Unfortunately, the bouncycastle dependency is bring 2 critical security vulnerabilities
Any chance to have those fixed in near future ?
Thank you.
Upgrade Bouncy Castle due to CVE-2015-7940
There is an open vulnerability on bouncycastle versions before 1.51.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7940
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.