dsyer / spring-security-rsa Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Compile dependency bcprov-jdk18on 1.77
has a recently published CVE.
Please upgrade dependency bcprov-jdk18on
to 1.78
or above in spring-security-rsa
.
Related tickets:
Hi
Do you have a plan to promote spring-security-rsa
to spring-security's project?
This project is used by spring-cloud-common.
I wonder why this is not under the spring-security.
I would like to use official RsaSecretEncryptor
.
I hope this project to be managed by Spring IO Platform.
Hello, I'm using spring-security-rsa version 1.0.9.RELEASE with Spring boot 2.2.2 but I'm unable to successfully encrypt and decrypt a simple string using the RsaRawEncryptor while using RsaSecretEncryptor it works correctly. This are my two test encryptors:
@Bean
@ConditionalOnProperty(prefix = "cipher.key", name = "private-key")
public TextEncryptor textEncryptor() {
log.info("Private key provided in properties file to encrypt text");
return new RsaSecretEncryptor(keyProperties.getPrivateKey());
}
@Bean("raw")
@ConditionalOnProperty(prefix = "cipher.key", name = "private-key")
public TextEncryptor textRawEncryptor() {
log.info("Private key provided in properties file to encrypt text");
return new RsaRawEncryptor(keyProperties.getPrivateKey());
}
And this is my simple test:
@Test
public void encryptorTest() {
String test = "test";
String encrypted = textEncryptor.encrypt(test);
String decrypted = textEncryptor.decrypt(encrypted);
assertEquals(test, decrypted);
}
Now if I inject the default encryptor (the RsaSecretEncryptor one) into my code the test passes, however, if I inject the RsaRawEncryptor one I get the following exception:
java.lang.IllegalStateException: Cannot decrypt
at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:160)
at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:113)
at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:102)
at com.test.encryptorTest(EncryptorTest.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.springframework.test.context.junit4.statements.RunBeforeTestExecutionCallbacks.evaluate(RunBeforeTestExecutionCallbacks.java:74)
at org.springframework.test.context.junit4.statements.RunAfterTestExecutionCallbacks.evaluate(RunAfterTestExecutionCallbacks.java:84)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)
at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)
at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:251)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:97)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:190)
at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:230)
at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:58)
Caused by: javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:383)
at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:294)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:389)
at javax.crypto.Cipher.doFinal(Cipher.java:2047)
at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:151)
... 34 more
Shouldn't both work well with the same keypair?
I found the keystore.type "jks" hard coded in the KeyStoreKeyFactory.getKeyPair(..) method. Is it possible to make the keystore.type configurable?
For example via the existing:
encrypt:
__keyStore:
____type: "jceks"
Please update bouncycastle version to 1.59
All the usages of bouncycastle classes are in the "bcprov" lib, so using "bcpkix" is more than needed.
Latest Version of bcpkix-jdk15on is 1.70 (currently 1.69 is used):
But apparently it is time to switch to bcpkix-jdk18on, because bouncy castle compiles for java8 in its pom anyway. bcpkix-jdk18on seems to be better maintained.
At the moment if we look into spring-cloud-sleuth dependency tree we would have something like this.
A CVE was created related to the bcprov-jdk15on version.
I reached out to their team and this dependency was split.
I would love it if you guys took this into consideration since bcprov-jdk15on is no longer supported.
Thank you!
I am using openssl:
openssl genrsa -out private.pem 1024
to generate rsa private key. And then read the file to create RsaRawEncryptor object, but it throw a exception:
Exception in thread "main" java.lang.IllegalArgumentException: Illegal base64 character a
at java.util.Base64$Decoder.decode0(Base64.java:714)
at java.util.Base64$Decoder.decode(Base64.java:526)
at org.springframework.util.Base64Utils.decode(Base64Utils.java:59)
at org.springframework.security.rsa.crypto.RsaKeyHelper.base64Decode(RsaKeyHelper.java:133)
at org.springframework.security.rsa.crypto.RsaKeyHelper.parseKeyPair(RsaKeyHelper.java:78)
at org.springframework.security.rsa.crypto.RsaRawEncryptor.<init>(RsaRawEncryptor.java:67)
at com.mofeng.admin.util.RsaUtils.<init>(RsaUtils.java:29)
at com.mofeng.admin.util.RsaUtils.main(RsaUtils.java:48)
With the help of search engine, i find the reason:
java.util.Base64 can not support the content contain newline.
But the format of private key file seen like:
-----BEGIN RSA PRIVATE KEY-----
something......\n
something......\n
......
-----END RSA PRIVATE KEY-----
if the developer did not modify the file content, it will contain newline.
I solve this problem by:
pemData = pemData.replaceAll("[\n|\r]", "");
But i think load the native file is a common usage. It is best to handle this situation.
Since this is a required dependency of spring-cloud-commons.
hi,
I'm using spring-cloud-starter which brings spring-security-rsa-1.0.9.RELEASE component
which in turns depends on bcprov-jdk15on-1.64
Unfortunately, the bouncycastle dependency is bring 2 critical security vulnerabilities
Any chance to have those fixed in near future ?
Thank you.
There is an open vulnerability on bouncycastle versions before 1.51.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7940
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.