Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12140

Elytron - OTP seed attribute in ldap-realm is Base64 encoded


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.1.0.ER3
    • 7.1.0.ER2
    • Security
    • None

      The ldap-realm.otp-credential-mapper.seed-from attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.

      The problem is in the Elytron class org.wildfly.security.auth.realm.ldap.OtpCredentialLoader which handles the encoding/decoding.

      The OTP RFC 2289 says

         The seed MUST consist of purely alphanumeric characters and MUST be
         of one to 16 characters in length. The seed is a string of characters
         that MUST not contain any blanks and SHOULD consist of strictly
         alphanumeric characters from the ISO-646 Invariant Code Set.  The
         seed MUST be case insensitive and MUST be internally converted to
         lower case before it is processed.

      I.e. There is no need to Base64-encode the String bytes.

      Suggested fix
      Don't encode/decode the LDAP attribute value.

            jkalina@redhat.com Jan Kalina (Inactive)
            josef.cacek@gmail.com Josef Cacek (Inactive)
            0 Vote for this issue
            1 Start watching this issue