CAS 5.3.x Hazelcast Cipher errors when undergoes medium stress - and some a possible cause
50 views
Skip to first unread message
Andy Ng
Nov 29, 2018, 4:57:02 AM11/29/18
to CAS Community
Hi all,
My server:
- Version: CAS 5.3.x
- Version: CAS 5.3.x
- Ticketing: Hazelcast
Problem:
These few days I have been stress testing my CAS 5.3.x for production launch, and I see that undergoes medium stress (1 req / seconds using JMeter), the following errors will occurs randomly (~100 times 1 will occurs):
- Exception that I see are:
- java.lang.IllegalStateException: Cipher not initialized
- javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
- javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher
Research and possible solution:
I found that, for my server, it seems to be a problem in BaseBinaryCipherExecutor.java,
this.aesCipher = Cipher.getInstance("AES"); is executed in the class constructor instead of before this.aesCipher.init(Cipher.ENCRYPT_MODE, this.encryptionKey);.
And after changing the code to the following:
@Override
@SneakyThrows
public byte[] encode(final byte[] value, final Object[] parameters) {
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, this.encryptionKey);
final byte[] result = cipher.doFinal(value);
return sign(result);
}
@Override
@SneakyThrows
public byte[] decode(final byte[] value, final Object[] parameters) {
final byte[] verifiedValue = verifySignature(value);
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.DECRYPT_MODE, this.encryptionKey);
final byte[] bytePlainText = cipher.doFinal(verifiedValue);
return bytePlainText;
}
My stress test yield much more consistent result. And no more Cipher error exists anymore.
Question:
Before I submit a PR, I want to know if this is a problem only applicable to me, or is applicable to other CAS 5.3.x servers. So I would like to ask:
- Have anybody else using 5.3.x, found the above Exception in their production CAS logs?
- If yes, are you using Hazelcast (I want to know if this problem extends beyond Hazelcast)
Thanks and cheers!
- Andy
Jonathon Taylor
Nov 30, 2018, 6:52:32 PM11/30/18
to cas-...@apereo.org
Andy,
We just upgraded our test instance to 5.3.6 today and based on your
findings ran a quick JMeter test. We also hit at least one of the
exceptions already (and seemingly randomly):
javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption.
We plan to run more thorough tests on Monday but it does appear this
is applicable more broadly.
Jonathon
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/478e3787-f2f4-4f1d-84d1-cdff759b45d1%40apereo.org.
We just upgraded our test instance to 5.3.6 today and based on your
findings ran a quick JMeter test. We also hit at least one of the
exceptions already (and seemingly randomly):
javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption.
is applicable more broadly.
Jonathon
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/478e3787-f2f4-4f1d-84d1-cdff759b45d1%40apereo.org.
Andy Ng
Nov 30, 2018, 7:17:16 PM11/30/18
to CAS Community
Hi Jonathan,
Great! So this issue is not only applicable to me, I think this means it is time for a PR.
Jonathan, when you ran more test on Monday, you can see if the following can fix this bug:
Overlay the BaseBinaryCipherExecutor class, and change the encode and decode to the following:
@Override | |
| @SneakyThrows | |
| public byte[] encode(final byte[] value, final Object[] parameters) { cipher = Cipher.getInstance("AES"); |
| cipher.init(Cipher.ENCRYPT_MODE, this.encryptionKey); | |
| final byte[] result = cipher.doFinal(value); | |
| return sign(result); | |
| } | |
| @Override | |
| @SneakyThrows |
| public byte[] decode(final byte[] value, final Object[] parameters) { cipher = Cipher.getInstance("AES"); |
| final byte[] verifiedValue = verifySignature(value); |
| cipher.init(Cipher.DECRYPT_MODE, this.encryptionKey); | |
| final byte[] bytePlainText = cipher.doFinal(verifiedValue); | |
| return bytePlainText; | |
| } | |
Note: If you have trouble doing the above, this tutorial should help: https://apereo.github.io/2018/04/01/cas-overlays-supercharged/
If you problem is the same as mine, the BadPaddingException Exception should goes away after the fix.
Cheers!
- Andy
Andy Ng
Nov 30, 2018, 7:18:43 PM11/30/18
to CAS Community
Typo, should be Cipher cipher = Cipher.getInstance("AES"); /Andy
Andy Ng
Dec 1, 2018, 4:24:31 AM12/1/18
to CAS Community
Hi all,
I have made an PR about this issue, it can be seen here: https://github.com/apereo/cas/pull/3679
Cheers!
- Andy
Reply all
Reply to author
Forward
0 new messages