Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12139

Elytron: OTP seed as byte array instead of String

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Verified (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 7.1.0.ER2
    • Fix Version/s: 7.1.0.ER3
    • Component/s: Security
    • Labels:
      None

      Description

      The org.wildfly.security.password.interfaces.OneTimePassword interface contains getSeed() method which is of type byte[]. The more proper type seems to be a String (or char[]).

      The OneTimePassword interface type description says:

      A one-time password, used by the OTP SASL mechanism.

      The OTP RFC 2289 says

         The seed MUST consist of purely alphanumeric characters and MUST be
         of one to 16 characters in length. The seed is a string of characters
         that MUST not contain any blanks and SHOULD consist of strictly
         alphanumeric characters from the ISO-646 Invariant Code Set.  The
         seed MUST be case insensitive and MUST be internally converted to
         lower case before it is processed.
      

      Suggested fix:
      Change the getSeed() method type to String.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              yersan Yeray Borges Santana
              Reporter:
              jcacek Josef Cacek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: