Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12139

Elytron: OTP seed as byte array instead of String

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.1.0.ER3
    • 7.1.0.ER2
    • Security
    • None

    Description

      The org.wildfly.security.password.interfaces.OneTimePassword interface contains getSeed() method which is of type byte[]. The more proper type seems to be a String (or char[]).

      The OneTimePassword interface type description says:

      A one-time password, used by the OTP SASL mechanism.

      The OTP RFC 2289 says

         The seed MUST consist of purely alphanumeric characters and MUST be
   of one to 16 characters in length. The seed is a string of characters
   that MUST not contain any blanks and SHOULD consist of strictly
   alphanumeric characters from the ISO-646 Invariant Code Set.  The
   seed MUST be case insensitive and MUST be internally converted to
   lower case before it is processed.

      Suggested fix:
      Change the getSeed() method type to String.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1288 Elytron: OTP seed as byte array instead of String

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11931 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta30

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12140 Elytron - OTP seed attribute in ldap-realm is Base64 encoded

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              yborgess1@redhat.com Yeray Borges Santana
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: