Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3068

Elytron - OTP seed attribute in ldap-realm is Base64 encoded

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • 3.0.0.Beta28
    • Security
    • None

      The ldap-realm.otp-credential-mapper.seed-from attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.

      The problem is in the Elytron class org.wildfly.security.auth.realm.ldap.OtpCredentialLoader which handles the encoding/decoding.

      The OTP RFC 2289 says

         The seed MUST consist of purely alphanumeric characters and MUST be
         of one to 16 characters in length. The seed is a string of characters
         that MUST not contain any blanks and SHOULD consist of strictly
         alphanumeric characters from the ISO-646 Invariant Code Set.  The
         seed MUST be case insensitive and MUST be internally converted to
         lower case before it is processed.
      

      I.e. There is no need to Base64-encode the String bytes.

      Suggested fix
      Don't encode/decode the LDAP attribute value.

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: