----- Original Message -----
From: "Alon Bar-Lev" <alonbl(a)redhat.com>
To: "Eli Mesika" <emesika(a)redhat.com>
Cc: "users" <users(a)ovirt.org>, "Dead Horse"
<deadhorseconsulting(a)gmail.com>
Sent: Tuesday, January 29, 2013 10:40:59 AM
Subject: Re: [Users] engine Failed to decrypt Data error
----- Original Message -----
> From: "Eli Mesika" <emesika(a)redhat.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: "users" <users(a)ovirt.org>, "Dead Horse"
> <deadhorseconsulting(a)gmail.com>
> Sent: Tuesday, January 29, 2013 10:33:04 AM
> Subject: Re: [Users] engine Failed to decrypt Data error
>
>
>
> ----- Original Message -----
> > From: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > To: "Eli Mesika" <emesika(a)redhat.com>
> > Cc: "users" <users(a)ovirt.org>, "Dead Horse"
> > <deadhorseconsulting(a)gmail.com>
> > Sent: Monday, January 28, 2013 11:20:30 PM
> > Subject: Re: [Users] engine Failed to decrypt Data error
> >
> >
> >
> > ----- Original Message -----
> > > From: "Eli Mesika" <emesika(a)redhat.com>
> > > To: "Dead Horse" <deadhorseconsulting(a)gmail.com>
> > > Cc: "users" <users(a)ovirt.org>, "Alon Bar-Lev"
> > > <alonbl(a)redhat.com>
> > > Sent: Monday, January 28, 2013 11:16:16 PM
> > > Subject: Re: [Users] engine Failed to decrypt Data error
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Dead Horse" <deadhorseconsulting(a)gmail.com>
> > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > Cc: "users" <users(a)ovirt.org>, "Eli
Mesika"
> > > > <emesika(a)redhat.com>
> > > > Sent: Monday, January 28, 2013 11:04:53 PM
> > > > Subject: Re: [Users] engine Failed to decrypt Data error
> > > >
> > > >
> > > > psql -U engine -d engine -c "select * from vdc_options where
> > > > option_name in ('LocalAdminPassword',
'AdminPassword');"
> > > > option_id | option_name |
> > > >
> > > > option_value
> > > >
> > > > | version
> > > >
-----------+--------------------+-----------------------------------------------
> > > >
--------------------------------------------------------------------------------
> > > >
--------------------------------------------------------------------------------
> > > >
--------------------------------------------------------------------------------
> > > >
-----------------------------------------------------------+---------
> > > > 127 | LocalAdminPassword |
> > > > KiG8670o1qXVX6omYsiCdaaXtQc/mGmr0qgLHqc8yykoRz
> > > >
OwbfZzU9AxBYwYrJEwyqdq8c2ZwfGVvQ1YVIfGRspKLKogl59gBnwcQuk3al1K4Vtmr2hgWDtm5FBYd5
> > > >
Nac4WIly4efjMCRjwrpPVkpAX55N8tGJ9LNzX8eRszQ4iVs8zivl0eu9SVhrB8tbHkA/+U5/vss26za8
> > > >
X+AV67dtDzoD7ZS0eOT1Vx9vrOGHvDYU8tANEb29Et79CJ0whLOOEeuwTpkK1yZdF3PaWRbnTwXZUsB1
> > > > hMs9NLdo2ZxZOVSIK1E2mPh1WLybgIX1YB0Ra3BZvjAR9wPZz+jdfZng== |
> > > > general
> > > > 7 | AdminPassword |
> > > > AakmoHu69RmCWkSoVXLOv0cwzwGscXaM+HJAONRtSdECEA
> > > >
VL+bjc1Lis6PHR1vBwdmhITxAvo2998pTJNusvtuTCODra40MTC+9p9+Oev4jWIbkncHH8gRdIKyvHuz
> > > >
O6fNda50VXeWYhGNFIMavw15PlslutUWEpyNAasjEWyZ7cNyjKK2eFKNDZ3F5PCv9RcQXfXkKSveWm6M
> > > >
40zUVOx1ZjCnptNUpB4VYf5vW8LOpSL5NJpfJQmu36QbBRDDo3+3XPb4ELXA4t1rbPYw9Z7hRbk5Mbtq
> > > > qvOA7q4+G4nPtxHB7d6dYT2QJ58wgXUSIIoz/odvz5yVYeazIFS3Faww== |
> > > > general
> > > > (2 rows)
> > >
> > > Too long , supported values for encryption should be < 127
> > > characters
> >
> > Why too long? it should be 2048 RSA key.
> > And it is exactly 256 decoded.
> OK
> Didn't you say that practically it should be < 256 ?
The encrypted blob is exactly 256 (keysize/8).
The plain text within that blob is at same length.
The PKCS#5 padding that we should use (or should have used) takes at
lease one byte from suffix, hence the <256, but this applies to the
plain text.
From the exception we see that the java crypto provider complains we
provide a block >256 and key size of 2048, so there is something
wrong with the buffer we pass as it must be =256 bytes.
That raises the chance of bug in the EncryptionUtils code , can you take a look ?
> >
> > >
> > >
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, Jan 28, 2013 at 2:38 PM, Alon Bar-Lev <
> > > > alonbl(a)redhat.com
> > > > >
> > > > wrote:
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Dead Horse" < deadhorseconsulting(a)gmail.com
>
> > > > > To: "Alon Bar-Lev" < alonbl(a)redhat.com >
> > > > > Cc: "users" < users(a)ovirt.org >, "Eli
Mesika" <
> > > > > emesika(a)redhat.com
> > > > > >
> > > >
> > > > > Sent: Monday, January 28, 2013 10:35:34 PM
> > > > > Subject: Re: [Users] engine Failed to decrypt Data error
> > > > >
> > > > >
> > > > >
> > > >
> > > > > was in the middle of a fresh engine setup which did not
> > > > > exhibit
> > > > > the
> > > > > symptom. However after running: "engine-config -s
> > > > > AdminPassword=interactive" and restarting the engine
> > > > > service
> > > > > on
> > > > > the
> > > > > clean setup the error message now shows up.
> > > > >
> > > > > - DHC
> > > > >
> > > > >
> > > > >
> > > >
> > > > OK, at least it is related to the admin password.
> > > >
> > > > Please send me the output of:
> > > >
> > > > psql -U engine -d engine -c "select * from vdc_options where
> > > > option_name in ('LocalAdminPassword',
'AdminPassword');"
> > > >
> > > >
> > > > Thanks!
> > > >
> > > > >
> > > > > On Mon, Jan 28, 2013 at 1:55 PM, Alon Bar-Lev <
> > > > > alonbl(a)redhat.com
> > > > > >
> > > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Dead Horse" <
deadhorseconsulting(a)gmail.com >
> > > > > > To: "Alon Bar-Lev" < alonbl(a)redhat.com >
> > > > > > Cc: "users" < users(a)ovirt.org >, "Eli
Mesika" <
> > > > > > emesika(a)redhat.com
> > > > > > >
> > > > >
> > > > > > Sent: Monday, January 28, 2013 9:46:53 PM
> > > > > > Subject: Re: [Users] engine Failed to decrypt Data error
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > > Current running engine build --> commit:
> > > > > > 61c11aecc40e755d08b6c34c6fe1c0a07fa94de8
> > > > > >
> > > > > > ran engine upgrade against the built rpms from that
> > > > > > commit.
> > > > > >
> > > > > >
> > > > > > Thus I applied it as an upgrade against prior running
> > > > > > build
> > > > > > -->
> > > > > > commit:
> > > > > > 1eb895355239bbcb7a7ceda172405f0b68f18f35
> > > > >
> > > > > [Please use plain text mails in lists.]
> > > > >
> > > > >
> > > > > Can you please patch EncryptionUtils.decrypt() with the
> > > > > following,
> > > > > so
> > > > > I can see what source is? source is encrypted blob, should
> > > > > not
> > > > > be
> > > > > a
> > > > > problem to send it.
> > > > >
> > > > > if (!StringHelper.isNullOrEmpty(source.trim())) {
> > > > > KeyStore store = EncryptionUtils.getKeyStore(keyFile,
> > > > > passwd,
> > > > > certType);
> > > > > Key key = store.getKey(alias, passwd.toCharArray());
> > > > > + log.info ("DEBUG001 " + source);
> > > >
> > > >
> > > > > result = decrypt(source, key);
> > > > >
> > > > >
> > > > > }
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Mon, Jan 28, 2013 at 1:28 PM, Alon Bar-Lev <
> > > > > > alonbl(a)redhat.com
> > > > > > >
> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > How do you installed the engine? you built?
> > > > > > Which exact version?
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Dead Horse" <
deadhorseconsulting(a)gmail.com >
> > > > > >
> > > > > >
> > > > > > > To: "Alon Bar-Lev" < alonbl(a)redhat.com
>
> > > > > > > Cc: "users" < users(a)ovirt.org >,
"Eli Mesika" <
> > > > > > > emesika(a)redhat.com
> > > > > > > >
> > > > > > > Sent: Monday, January 28, 2013 9:26:44 PM
> > > > > > > Subject: Re: [Users] engine Failed to decrypt Data
> > > > > > > error
> > > > > > >
> > > > > > >
> > > > > > > Password length is 11 characters and consists of
Upper,
> > > > > > > Lower
> > > > > > > case
> > > > > > > and one special character.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Mon, Jan 28, 2013 at 1:20 PM, Alon Bar-Lev <
> > > > > > > alonbl(a)redhat.com
> > > > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > >
> > > > > > > We tried to reproduce this.
> > > > > > > What password do you use? is there one with some
great
> > > > > > > length?
> > > > > > > If not, Eli, we should send a debug patch for this.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Dead Horse" <
deadhorseconsulting(a)gmail.com >
> > > > > > > > To: "< users(a)ovirt.org >" <
users(a)ovirt.org >
> > > > > > > > Sent: Monday, January 28, 2013 9:16:20 PM
> > > > > > > > Subject: [Users] engine Failed to decrypt Data
error
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > I see this repeating error in the engine logs
quite a
> > > > > > > > bit,
> > > > > > > > any
> > > > > > > > ideas
> > > > > > > > on what causes it?
> > > > > > > >
> > > > > > > >
> > > > > > > > 2013-01-28 13:13:40,483 ERROR
> > > > > > > >
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> > > > > > > > (QuartzScheduler_Worker-23) Failed to decrypt
Data
> > > > > > > > must
> > > > > > > > not
> > > > > > > > be
> > > > > > > > longer than 256 bytes
> > > > > > > > 2013-01-28 13:13:52,747 ERROR
> > > > > > > >
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> > > > > > > > (QuartzScheduler_Worker-81) Failed to decrypt
Data
> > > > > > > > must
> > > > > > > > not
> > > > > > > > be
> > > > > > > > longer than 256 bytes
> > > > > > > > 2013-01-28 13:13:52,747 ERROR
> > > > > > > >
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> > > > > > > > (QuartzScheduler_Worker-84) Failed to decrypt
> > > > > > > > Blocktype
> > > > > > > > mismatch:
> > > > > > > > 0
> > > > > > > > 2013-01-28 13:13:52,761 ERROR
> > > > > > > >
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> > > > > > > > (QuartzScheduler_Worker-85) Failed to decrypt
Data
> > > > > > > > must
> > > > > > > > start
> > > > > > > > with
> > > > > > > > zero
> > > > > > > > 2013-01-28 13:14:00,964 ERROR
> > > > > > > >
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> > > > > > > > (QuartzScheduler_Worker-23) Failed to decrypt
Data
> > > > > > > > must
> > > > > > > > not
> > > > > > > > be
> > > > > > > > longer than 256 bytes
> > > > > > > > 2013-01-28 13:14:00,964 ERROR
> > > > > > > >
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> > > > > > > > (QuartzScheduler_Worker-20) Failed to decrypt
Data
> > > > > > > > must
> > > > > > > > not
> > > > > > > > be
> > > > > > > > longer than 256 bytes
> > > > > > > > 2013-01-28 13:14:02,983 ERROR
> > > > > > > >
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> > > > > > > > (QuartzScheduler_Worker-29) Failed to decrypt
Data
> > > > > > > > must
> > > > > > > > not
> > > > > > > > be
> > > > > > > > longer than 256 bytes
> > > > > > > > 2013-01-28 13:14:02,983 ERROR
> > > > > > > >
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> > > > > > > > (QuartzScheduler_Worker-34) Failed to decrypt
Data
> > > > > > > > must
> > > > > > > > not
> > > > > > > > be
> > > > > > > > longer than 256 bytes
> > > > > > > >
> > > > > > > >
> > > > > > > > - DHC
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Users mailing list
> > > > > > > > Users(a)ovirt.org
> > > > > > > >
http://lists.ovirt.org/mailman/listinfo/users
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> >
>