Uppercase Answers in Challenge Questions - 5002 Invalid

[Stephen Price]

Driving me crazy here. I have installed 2 PWM 2.0.6 servers utilziing a SQL server to store the Challenge answers.

Whenever a users defines their challenge answers with a word that has a Capital letter in it, the platform saves it without issue. But when a user utilizies the answer to the challenge question it says that it is an Invalid response.

If the user defines the same question with the same answer, but uses only lowercase letters in the answer, then it works just fine.

What is going on with the Uppercase letters in challenge answers?

[Jason Rivard]

It's most likely the setting 'Max Question Characters' on your challenge policy.  Apparently there is casing bug in that check.  You can watch the logs or turn on detailed error messages to see the cause of the error.

[Stephen Price]

Logging does not seem to show anything more than that the password answer is invalid. Not sure how to tell if the 'Max Question Characters' configuration would be relevant or how to disable it to test.

[Jason Rivard]

Did you change the max question characters setting on the challenge policy?   Try setting it to 0.   Also, I think there is a bug in the case checking of this restriction, I'll be looking into it soon.

[Stephen Price]

1st of all. Thank you for all your help.

Yes. I tried it with zero.

To be clear:

It accepts the answer when defining the question and answers no problem. I would think the max question setting would be more related to this step.

It is during the actual checking of the answer when it states the password is incorrect. If I define an all lowercase answer then it will accept the all lowercase answer just fine when requested. 

But if there are any uppercase letters in the answer, then it will not validate at all.

One or more responses are not correct. Pleasee try Again {5002 ERROR_INCORRECT_RESPONSE (incorrect response to one or more challenges)}

[Egert Vero]

I am having the same issue. Changing "Max Question Characters" to zero does not work.  Was a solution/workaround ever found for this issue ?

Thanks!

[Clément Gindrier]

Hello everyone,

I had the same problem and fixed it a few days ago. Everything seems to work since.
I'll explain my solution, and if you think it's a good one, I'll do a pull request.

Problem : When the “case insensitive” option was activated, secret answers containing a capital letter didn't work.

Cause: When the secret question is compared to “case insensitive”, it is lower-cased (with toLowerCase()), then salted and hashed. But when it's saved, it's not lower-cased. As a result, it will never match.

Code : The “ldapchai” library has changed version. In it, you'll find the comparison and recording of questions. I captured these images in debug mode. So you can see the variable values at the end of the lines.

Solution: I downloaded the code from the “ldapchai” project,  git checkout the 8.0.5 branch used by pwm 2.0.6. I added the line that allows lower-casing when “case insensitive” is enabled:

        final String casedAnswer = this.caseInsensitive ? answer.toLowerCase() : answer;

And replaced the variable in the next line:

        this.hashedAnswer = hashValue( casedAnswer );



Then I compiled it with maven (mvn clean install), replaced the old version of pwm with this one, and compiled pwm with maven

[Jason Rivard]

Thanks for the research, fix and pull request!  I am working on an update release of PWM and ldapchai but I'm not sure when I will it out.