Details
-
Bug
-
Resolution: Done
-
Minor
-
None
-
None
-
None
Description
When using the vault, if you specify an attribute that doesn't exist in the vault, you get an IllegalArgumentException like the following one:
SEVERE [main] org.apache.tomcat.vault.util.PropertySourceVault.getProperty java.lang.IllegalArgumentException: Null input buffer
org.apache.tomcat.vault.security.vault.SecurityVaultException: java.lang.IllegalArgumentException: Null input buffer
at org.apache.tomcat.vault.security.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:299)
at org.apache.tomcat.vault.util.PropertySourceVault.getProperty(PropertySourceVault.java:109)
at org.apache.tomcat.vault.util.PropertySourceVault.init(PropertySourceVault.java:82)
at org.apache.tomcat.vault.util.PropertySourceVault.<init>(PropertySourceVault.java:54)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at java.lang.Class.newInstance(Class.java:379)
at org.apache.tomcat.util.digester.Digester.<clinit>(Digester.java:96)
at org.apache.catalina.startup.Catalina.createStartDigester(Catalina.java:272)
at org.apache.catalina.startup.Catalina.load(Catalina.java:514)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.IllegalArgumentException: Null input buffer
at javax.crypto.Cipher.doFinal(Cipher.java:2083)
at org.apache.tomcat.vault.util.EncryptionUtil.decrypt(EncryptionUtil.java:134)
at org.apache.tomcat.vault.security.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:295)
... 18 more
The message "Null input buffer" is pretty vague and comes from javax.crypto.Cipher.doFinal() because we've passed a null from the vault. We can catch the null value before passing to Cipher and print a more useful message. I think something like the following works:
--- a/src/main/java/org/apache/tomcat/vault/security/vault/PicketBoxSecurityVault.java
+++ b/src/main/java/org/apache/tomcat/vault/security/vault/PicketBoxSecurityVault.java
@@ -287,6 +287,11 @@ public class PicketBoxSecurityVault implements SecurityVault
throw new IllegalArgumentException(msm.getString("invalidNullArgument", "attributeName"));
byte[] encryptedValue = vaultContent.getVaultData(alias, vaultBlock, attributeName);
+
+ if (encryptedValue == null) {
+ throw new SecurityVaultException("Vault data not found for alias: " + alias + " block: " +
+ vaultBlock + " attribute: " + attributeName);
+ }
SecretKeySpec secretKeySpec = new SecretKeySpec(adminKey.getEncoded(), encryptionAlgorithm);
EncryptionUtil encUtil = new EncryptionUtil(encryptionAlgorithm, keySize);
Should we add a more specific message, maybe at DEBUG, that would help users determine where the problem is? Or would that be considered information leakage?