Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consistent errors for KeyStoreWrapper decryption with any security provider #57132

Open
jkakavas opened this issue May 26, 2020 · 2 comments
Open

Consistent errors for KeyStoreWrapper decryption with any security provider #57132

jkakavas opened this issue May 26, 2020 · 2 comments
Labels
:Core/Infra/Settings Settings infrastructure and APIs >enhancement help wanted adoptme :Security/Security Security issues without another label Team:Core/Infra Meta label for core/infra team Team:Security Meta label for security team

Comments

@jkakavas
Copy link
Member

As identified in #57050 (comment) , when using the BouncyCastle FIPS security provider, the decryption with a wrong password fails in non predictable ways. Sometimes the CipherInputStream doesn't throw an AEADBadTagException as expected but readFully fails to read the stream fully and thus we fail because of these unconsumed stream contents:

elasticsearch/server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java

Line 379 in c117c0c

throw new SecurityException("Keystore has been corrupted or tampered with");

We should look at a) why this happens and b) figure out if there is a way to consistently catch Exceptions caused by invalid passwords for any security provider so that we can throw a relevant and useful error message for the users.
@jkakavas jkakavas added >enhancement :Core/Infra/Settings Settings infrastructure and APIs :Security/Security Security issues without another label labels May 26, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (:Core/Infra/Settings)

@elasticmachine elasticmachine added the Team:Core/Infra Meta label for core/infra team label May 26, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Security)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label May 26, 2020
@jkakavas jkakavas mentioned this issue May 26, 2020
Merged
@rjernst rjernst added the needs:triage Requires assignment of a team area label label Dec 3, 2020
@gwbrown gwbrown added help wanted adoptme and removed needs:triage Requires assignment of a team area label labels Dec 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Core/Infra/Settings Settings infrastructure and APIs >enhancement help wanted adoptme :Security/Security Security issues without another label Team:Core/Infra Meta label for core/infra team Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rjernst @gwbrown @jkakavas @elasticmachine