Derby
  1. Derby
  2. DERBY-5969

Encryption, re-encryption, and un-encryption silently fail if the database is already booted.

    Details

    • Issue & fix info:
      Release Note Needed, Repro attached
    • Bug behavior facts:
      Security

      Description

      If the database is already booted, then the DBO's attempt to re-encrypt or un-encrypt the database will silently fail. It will appear to the DBO that the re(un)encryption succeeded but in fact the database will not be changed. Derby should raise an error if the database is already booted when the DBO attempts re(un)encryption.

      1. releaseNote.html
        3 kB
        Rick Hillegas
      2. derby-5969-01-aa-warnEncryptionOnBootedDB.diff
        6 kB
        Rick Hillegas

        Issue Links

          Activity

          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Resolved Resolved
          10d 1h 49m 1 Rick Hillegas 08/Nov/12 19:43
          Resolved Resolved Closed Closed
          5s 1 Rick Hillegas 08/Nov/12 19:44
          Closed Closed Reopened Reopened
          231d 2h 56m 1 Mike Matrigali 27/Jun/13 23:40
          Reopened Reopened Closed Closed
          2m 17s 1 Mike Matrigali 27/Jun/13 23:42
          Gavin made changes -
          Workflow jira [ 12731840 ] Default workflow, editable Closed status [ 12802216 ]
          Mike Matrigali made changes -
          Status Reopened [ 4 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          Mike Matrigali made changes -
          Labels derby_backport_reject_10_9
          Hide
          Mike Matrigali added a comment -

          don't think this one should be backported. it is a behavior change with a release note for 10.10, so
          not appropriate to backport to an existing release.

          Show
          Mike Matrigali added a comment - don't think this one should be backported. it is a behavior change with a release note for 10.10, so not appropriate to backport to an existing release.
          Mike Matrigali made changes -
          Resolution Fixed [ 1 ]
          Status Closed [ 6 ] Reopened [ 4 ]
          Knut Anders Hatlen made changes -
          Link This issue is duplicated by DERBY-2409 [ DERBY-2409 ]
          Rick Hillegas made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Rick Hillegas made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 10.10.0.0 [ 12321550 ]
          Resolution Fixed [ 1 ]
          Hide
          Rick Hillegas added a comment -

          Resolving this issue as fixed now that user documentation has been written and the release note has been posted.

          Show
          Rick Hillegas added a comment - Resolving this issue as fixed now that user documentation has been written and the release note has been posted.
          Rick Hillegas made changes -
          Assignee Rick Hillegas [ rhillegas ]
          Rick Hillegas made changes -
          Attachment releaseNote.html [ 12551859 ]
          Hide
          Rick Hillegas added a comment -

          Attaching the first rev of a release note for this issue.

          Show
          Rick Hillegas added a comment - Attaching the first rev of a release note for this issue.
          Hide
          Rick Hillegas added a comment -

          Committed derby-5969-01-aa-warnEncryptionOnBootedDB.diff at subversion revision 1404947.

          Show
          Rick Hillegas added a comment - Committed derby-5969-01-aa-warnEncryptionOnBootedDB.diff at subversion revision 1404947.
          Rick Hillegas made changes -
          Link This issue is related to DERBY-5976 [ DERBY-5976 ]
          Rick Hillegas made changes -
          Summary Re-encryption and un-encryption silently fail if the database is already booted. Encryption, re-encryption, and un-encryption silently fail if the database is already booted.
          Rick Hillegas made changes -
          Issue & fix info Repro attached [ 10424 ] Release Note Needed,Repro attached [ 10101, 10424 ]
          Rick Hillegas made changes -
          Hide
          Rick Hillegas added a comment -

          Attaching derby-5969-01-aa-warnEncryptionOnBootedDB.diff. This patch raises a SQLWarning if you attempt to change the encryption on an already booted database. The warning tells you that the encryption state was not changed and that you need to shutdown the database before attempting the operation. Tests passed cleanly for me.

          A warning is now raised if you set one of the following attributes while connecting to an already booted database:

          dataEncryption
          newBootPassword
          newEncryptionKey
          decryptDatabase

          My original plan was to raise an exception in these situations. The Reference Manual is quite clear that dataEncryption=true is supposed to be used to change the encryption state of a database. However, I decided that some applications may set dataEncryption=true every time that they connect to an encrypted database--in previous releases that attribute has been treated as a NOP if the database is already booted. So I downgraded the exception to a warning. I suppose that we could still raise an exception for the other attributes (I don't imagine anyone sets those attributes unless they really mean to change the encryption state of the database). But it seemed cleaner to me to have one SQLState for this condition and to treat all of the cases the same way.

          After committing this patch, we will want to modify the user guides to clarify the following point:

          o If you are changing the encryption state of the database, be sure to check for SQLWarnings after the change. The change succeeded only if there were no SQLWarnings or SQLExceptions.

          We should probably add a release note too just in case applications are checking for SQLWarnings after connecting to an already booted database with dataEncryption=true.

          Touches the following files:

          ------------------

          M java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java
          M java/engine/org/apache/derby/loc/messages.xml
          M java/shared/org/apache/derby/shared/common/reference/SQLState.java

          Raise new warning.

          ------------------

          M java/testing/org/apache/derbyTesting/functionTests/tests/store/DecryptDatabaseTest.java
          M java/testing/org/apache/derbyTesting/junit/BaseJDBCTestCase.java

          New tests to verify that the warning is raised.

          ------------------

          M java/testing/org/apache/derbyTesting/functionTests/master/URLCheck.out

          Adjust a test canon.

          Show
          Rick Hillegas added a comment - Attaching derby-5969-01-aa-warnEncryptionOnBootedDB.diff. This patch raises a SQLWarning if you attempt to change the encryption on an already booted database. The warning tells you that the encryption state was not changed and that you need to shutdown the database before attempting the operation. Tests passed cleanly for me. A warning is now raised if you set one of the following attributes while connecting to an already booted database: dataEncryption newBootPassword newEncryptionKey decryptDatabase My original plan was to raise an exception in these situations. The Reference Manual is quite clear that dataEncryption=true is supposed to be used to change the encryption state of a database. However, I decided that some applications may set dataEncryption=true every time that they connect to an encrypted database--in previous releases that attribute has been treated as a NOP if the database is already booted. So I downgraded the exception to a warning. I suppose that we could still raise an exception for the other attributes (I don't imagine anyone sets those attributes unless they really mean to change the encryption state of the database). But it seemed cleaner to me to have one SQLState for this condition and to treat all of the cases the same way. After committing this patch, we will want to modify the user guides to clarify the following point: o If you are changing the encryption state of the database, be sure to check for SQLWarnings after the change. The change succeeded only if there were no SQLWarnings or SQLExceptions. We should probably add a release note too just in case applications are checking for SQLWarnings after connecting to an already booted database with dataEncryption=true. Touches the following files: ------------------ M java/engine/org/apache/derby/impl/jdbc/EmbedConnection.java M java/engine/org/apache/derby/loc/messages.xml M java/shared/org/apache/derby/shared/common/reference/SQLState.java Raise new warning. ------------------ M java/testing/org/apache/derbyTesting/functionTests/tests/store/DecryptDatabaseTest.java M java/testing/org/apache/derbyTesting/junit/BaseJDBCTestCase.java New tests to verify that the warning is raised. ------------------ M java/testing/org/apache/derbyTesting/functionTests/master/URLCheck.out Adjust a test canon.
          Rick Hillegas made changes -
          Link This issue relates to DERBY-2409 [ DERBY-2409 ]
          Rick Hillegas made changes -
          Issue & fix info Repro attached [ 10424 ]
          Hide
          Rick Hillegas added a comment -

          The following script shows this problem:

          connect 'jdbc:derby:db;create=true;user=test_dbo;dataEncryption=true;bootPassword=foobarwibblewombat';

          call syscs_util.syscs_create_user( 'test_dbo', 'test_dbopassword' );
          call syscs_util.syscs_create_user( 'fred', 'fredpassword' );

          – shutdown the database
          connect 'jdbc:derby:db;shutdown=true';

          – let another user boot the database
          connect 'jdbc:derby:db;user=fred;password=fredpassword;bootPassword=foobarwibblewombat';

          – the following attempt to decrypt the database appears to work
          – but actually fails.
          connect 'jdbc:derby:db;user=test_dbo;password=test_dbopassword;bootPassword=foobarwibblewombat;decryptDatabase=true';

          – shutdown the database
          connect 'jdbc:derby:db;shutdown=true;user=test_dbo;password=test_dbopassword';

          – this demonstrates that the unencryption failed
          connect 'jdbc:derby:db;user=test_dbo;password=test_dbopassword';

          Show
          Rick Hillegas added a comment - The following script shows this problem: connect 'jdbc:derby:db;create=true;user=test_dbo;dataEncryption=true;bootPassword=foobarwibblewombat'; call syscs_util.syscs_create_user( 'test_dbo', 'test_dbopassword' ); call syscs_util.syscs_create_user( 'fred', 'fredpassword' ); – shutdown the database connect 'jdbc:derby:db;shutdown=true'; – let another user boot the database connect 'jdbc:derby:db;user=fred;password=fredpassword;bootPassword=foobarwibblewombat'; – the following attempt to decrypt the database appears to work – but actually fails. connect 'jdbc:derby:db;user=test_dbo;password=test_dbopassword;bootPassword=foobarwibblewombat;decryptDatabase=true'; – shutdown the database connect 'jdbc:derby:db;shutdown=true;user=test_dbo;password=test_dbopassword'; – this demonstrates that the unencryption failed connect 'jdbc:derby:db;user=test_dbo;password=test_dbopassword';
          Hide
          Rick Hillegas added a comment -

          Linking to derby-5968 because this problem came up while thinking about that issue. Linking to derby-5792 because this cluster of issues came up while buddy-testing that feature.

          Show
          Rick Hillegas added a comment - Linking to derby-5968 because this problem came up while thinking about that issue. Linking to derby-5792 because this cluster of issues came up while buddy-testing that feature.
          Rick Hillegas made changes -
          Link This issue relates to DERBY-5968 [ DERBY-5968 ]
          Rick Hillegas made changes -
          Field Original Value New Value
          Link This issue relates to DERBY-5792 [ DERBY-5792 ]
          Rick Hillegas created issue -

            People

            • Assignee:
              Rick Hillegas
              Reporter:
              Rick Hillegas
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development