11-15-07 06:11 AM
[ https://issues.apache.org/jira/brow...ls:all-tabpanel ]
Leo Li updated DIRSERVER-1100:
------------------------------
Attachment: Directory_100.diff
Hi, all
Will somebody have a look at it.
If it works, maybe I shall append a testcase.
Thanks,
Leo.
> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryptio
n.DesCbcCrcEncryption cannot decrypt the encryptiondata it generated.
> --------------------------------------------------------------------------
-----------------------------------------------------------------
>
> Key: DIRSERVER-1100
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1100
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos
> Reporter: Leo Li
> Attachments: Directory_100.diff
>
>
> Here is an example:
> import javax.security.auth.kerberos.KerberosKey;
> import javax.security.auth.kerberos.KerberosPrincipal;
> import org.apache.directory.server.kerberos.shared.messages.value.Encrypte
dData;
> import org.apache.directory.server.kerberos.shared.messages.value.Encrypti
onKey;
> import org.apache.directory.server.kerberos.shared.crypto.encryption.*;
> public static void main(String[] args) throws Exception{
> final char[] PASSWORD = "PASSWORD".toCharArray();
> KerberosKey key = new KerberosKey(new KerberosPrincipal("servicetes
t-eoiNrCBZWh+uvtTkCOosKA@public.gmane.org"),PASSWORD, "DES");
> byte[] keyBytes = key.getEncoded();
> EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_
CBC_CRC, keyBytes);
> byte[] plainText = {1,2,3,4,5,6,7};
> DesCbcCrcEncryption encryption = new DesCbcCrcEncryption();
> EncryptedData encryptionData = encryption.getEncryptedData(encrypti
onKey, plainText, KeyUsage.NUMBER1); // I am not sure of which KeyUsage sho
uld use here, but it is not referenced in source code. So I think any will w
ork.
> encryption.getDecryptedData(encryptionKey, encryptionData, KeyUsage
.NUMBER1);
> System.out.println("Succeed!");
> }
> But it fails with such complain:
> Exception in thread "main" org.apache.directory.server.kerberos.shared.exc
eptions.KerberosException: Integrity check on decrypted field failed
> at org.apache.directory.server.kerberos.shared.crypto.encryption.DesCbcCr
cEncryption.getDecryptedData(DesCbcCrcEncryption.java:113)
> at TestDESCBCCRC.main(TestDESCBCCRC.java:21)
> After I look a further into it, it is due to current implementation (r595
192) there is two paddings in DesCbcCrcEncryption.getEncryptedData:
> LINE 126:
> byte[] paddedPlainText = padString( plainText );
> byte[] dataBytes = concatenateBytes( conFounder, concatenateBy
tes( zeroedChecksum, paddedPlainText ) );
> byte[] checksumBytes = calculateIntegrity( dataBytes, null, us
age );
> byte[] paddedDataBytes = padString( dataBytes );
> But RFC 3961
> "One generates a random confounder of one block, placing it in
> 'confounder'; zeros out the 'checksum' field (of length appropriate
> to exactly hold the checksum to be computed); adds the necessary
> padding; calculates the appropriate checksum over the whole sequence,
> placing the result in 'checksum'; and then encrypts using the
> specified encryption type and the appropriate key."
> So the checksum should be calculated after all padding for encryption has
finished.
> It seems that the same problem occurs in other Encryption classes.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[ Post a follow-up to this message ]
| 
