Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4.2, 1.5.0
Description
Dear all,
Problem Description
the default cipher instance for the RememberMe Manager is set in the AbstractRememberMeManager's constructor:
AesCipherService cipherService = new AesCipherService();
Now, AesCipherService sets the Algorithm to AES and OperationMode to GCM in its constructor, but it inherits it's parents PaddingMode. Since the parent is "DefaultBlockCipherService" which is a block cipher service (as the name suggests), a padding is set and defaults to PKCS5.
This results in the method call javax.crypto.Cipher.getInstance( "AES/GCM/PKCS5Padding" ). Most JVMs can handle this well and will use javax.crypto.Cipher.getInstance( "AES/GCM/NoPadding" ) internally, but some do not, because Padding with a streaming cipher does not seem specified.
Therefore, the default shiro setup will not work on such JVMs, which is a regression:
java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/GCM/PKCS5Padding
Workarounds
Use this configuration in shiro.ini.
Note that you would not gain from security updates this way which is a big drawback!
cipherService = org.apache.shiro.crypto.AesCipherService cipherService.paddingSchemeName = NoPadding securityManager.rememberMeManager.cipherService = $cipherService
Proposed Solution
In AesCipherService, add this line to the constructor:
setPaddingMode(PaddingMode.NONE.getTransformationName());
Affected Versions
I also added 1.5.0 as affected, becaue I guess it might not make it. Remove this version from the affected versions list if applicable.
Attachments
Issue Links
- links to
