Re: [Users] engine Failed to decrypt Data error

----- Original Message ----- > From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > To: "Eli Mesika" <emesika(a)redhat.com&gt; > Cc: "users" <users(a)ovirt.org&gt;, "Dead Horse" <deadhorseconsulting(a)gmail.com&gt; > Sent: Tuesday, January 29, 2013 10:40:59 AM > Subject: Re: [Users] engine Failed to decrypt Data error > > > > ----- Original Message ----- >> From: "Eli Mesika" <emesika(a)redhat.com&gt; >> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> Cc: "users" <users(a)ovirt.org&gt;, "Dead Horse" >> <deadhorseconsulting(a)gmail.com&gt; >> Sent: Tuesday, January 29, 2013 10:33:04 AM >> Subject: Re: [Users] engine Failed to decrypt Data error >> >> >> >> ----- Original Message ----- >>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>> To: "Eli Mesika" <emesika(a)redhat.com&gt; >>> Cc: "users" <users(a)ovirt.org&gt;, "Dead Horse" >>> <deadhorseconsulting(a)gmail.com&gt; >>> Sent: Monday, January 28, 2013 11:20:30 PM >>> Subject: Re: [Users] engine Failed to decrypt Data error >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Eli Mesika" <emesika(a)redhat.com&gt; >>>> To: "Dead Horse" <deadhorseconsulting(a)gmail.com&gt; >>>> Cc: "users" <users(a)ovirt.org&gt;, "Alon Bar-Lev" >>>> <alonbl(a)redhat.com&gt; >>>> Sent: Monday, January 28, 2013 11:16:16 PM >>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>> >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Dead Horse" <deadhorseconsulting(a)gmail.com&gt; >>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>> Cc: "users" <users(a)ovirt.org&gt;, "Eli Mesika" >>>>> <emesika(a)redhat.com&gt; >>>>> Sent: Monday, January 28, 2013 11:04:53 PM >>>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>>> >>>>> >>>>> psql -U engine -d engine -c "select * from vdc_options where >>>>> option_name in ('LocalAdminPassword', 'AdminPassword');" >>>>> option_id | option_name | >>>>> >>>>> option_value >>>>> >>>>> | version >>>>> -----------+--------------------+----------------------------------------------- >>>>> -------------------------------------------------------------------------------- >>>>> -------------------------------------------------------------------------------- >>>>> -------------------------------------------------------------------------------- >>>>> -----------------------------------------------------------+--------- >>>>> 127 | LocalAdminPassword | >>>>> KiG8670o1qXVX6omYsiCdaaXtQc/mGmr0qgLHqc8yykoRz >>>>> OwbfZzU9AxBYwYrJEwyqdq8c2ZwfGVvQ1YVIfGRspKLKogl59gBnwcQuk3al1K4Vtmr2hgWDtm5FBYd5 >>>>> Nac4WIly4efjMCRjwrpPVkpAX55N8tGJ9LNzX8eRszQ4iVs8zivl0eu9SVhrB8tbHkA/+U5/vss26za8 >>>>> X+AV67dtDzoD7ZS0eOT1Vx9vrOGHvDYU8tANEb29Et79CJ0whLOOEeuwTpkK1yZdF3PaWRbnTwXZUsB1 >>>>> hMs9NLdo2ZxZOVSIK1E2mPh1WLybgIX1YB0Ra3BZvjAR9wPZz+jdfZng== | >>>>> general >>>>> 7 | AdminPassword | >>>>> AakmoHu69RmCWkSoVXLOv0cwzwGscXaM+HJAONRtSdECEA >>>>> VL+bjc1Lis6PHR1vBwdmhITxAvo2998pTJNusvtuTCODra40MTC+9p9+Oev4jWIbkncHH8gRdIKyvHuz >>>>> O6fNda50VXeWYhGNFIMavw15PlslutUWEpyNAasjEWyZ7cNyjKK2eFKNDZ3F5PCv9RcQXfXkKSveWm6M >>>>> 40zUVOx1ZjCnptNUpB4VYf5vW8LOpSL5NJpfJQmu36QbBRDDo3+3XPb4ELXA4t1rbPYw9Z7hRbk5Mbtq >>>>> qvOA7q4+G4nPtxHB7d6dYT2QJ58wgXUSIIoz/odvz5yVYeazIFS3Faww== | >>>>> general >>>>> (2 rows) >>>> >>>> Too long , supported values for encryption should be < 127 >>>> characters >>> >>> Why too long? it should be 2048 RSA key. >>> And it is exactly 256 decoded. >> OK >> Didn't you say that practically it should be < 256 ? > > The encrypted blob is exactly 256 (keysize/8). > The plain text within that blob is at same length. > The PKCS#5 padding that we should use (or should have used) takes at > lease one byte from suffix, hence the <256, but this applies to the > plain text. > From the exception we see that the java crypto provider complains we > provide a block >256 and key size of 2048, so there is something > wrong with the buffer we pass as it must be =256 bytes. That raises the chance of bug in the EncryptionUtils code , can you take a look ?

> >>> >>>> >>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Jan 28, 2013 at 2:38 PM, Alon Bar-Lev < >>>>> alonbl(a)redhat.com >>>>>> >>>>> wrote: >>>>> >>>>> >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Dead Horse" < deadhorseconsulting(a)gmail.com > >>>>>> To: "Alon Bar-Lev" < alonbl(a)redhat.com > >>>>>> Cc: "users" < users(a)ovirt.org >, "Eli Mesika" < >>>>>> emesika(a)redhat.com >>>>>>> >>>>> >>>>>> Sent: Monday, January 28, 2013 10:35:34 PM >>>>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>>>> >>>>>> >>>>>> >>>>> >>>>>> was in the middle of a fresh engine setup which did not >>>>>> exhibit >>>>>> the >>>>>> symptom. However after running: "engine-config -s >>>>>> AdminPassword=interactive" and restarting the engine >>>>>> service >>>>>> on >>>>>> the >>>>>> clean setup the error message now shows up. >>>>>> >>>>>> - DHC >>>>>> >>>>>> >>>>>> >>>>> >>>>> OK, at least it is related to the admin password. >>>>> >>>>> Please send me the output of: >>>>> >>>>> psql -U engine -d engine -c "select * from vdc_options where >>>>> option_name in ('LocalAdminPassword', 'AdminPassword');" >>>>> >>>>> >>>>> Thanks! >>>>> >>>>>> >>>>>> On Mon, Jan 28, 2013 at 1:55 PM, Alon Bar-Lev < >>>>>> alonbl(a)redhat.com >>>>>>> >>>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Dead Horse" < deadhorseconsulting(a)gmail.com > >>>>>>> To: "Alon Bar-Lev" < alonbl(a)redhat.com > >>>>>>> Cc: "users" < users(a)ovirt.org >, "Eli Mesika" < >>>>>>> emesika(a)redhat.com >>>>>>>> >>>>>> >>>>>>> Sent: Monday, January 28, 2013 9:46:53 PM >>>>>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>>> Current running engine build --> commit: >>>>>>> 61c11aecc40e755d08b6c34c6fe1c0a07fa94de8 >>>>>>> >>>>>>> ran engine upgrade against the built rpms from that >>>>>>> commit. >>>>>>> >>>>>>> >>>>>>> Thus I applied it as an upgrade against prior running >>>>>>> build >>>>>>> --> >>>>>>> commit: >>>>>>> 1eb895355239bbcb7a7ceda172405f0b68f18f35 >>>>>> >>>>>> [Please use plain text mails in lists.] >>>>>> >>>>>> >>>>>> Can you please patch EncryptionUtils.decrypt() with the >>>>>> following, >>>>>> so >>>>>> I can see what source is? source is encrypted blob, should >>>>>> not >>>>>> be >>>>>> a >>>>>> problem to send it. >>>>>> >>>>>> if (!StringHelper.isNullOrEmpty(source.trim())) { >>>>>> KeyStore store = EncryptionUtils.getKeyStore(keyFile, >>>>>> passwd, >>>>>> certType); >>>>>> Key key = store.getKey(alias, passwd.toCharArray()); >>>>>> + log.info ("DEBUG001 " + source); >>>>> >>>>> >>>>>> result = decrypt(source, key); >>>>>> >>>>>> >>>>>> } >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Jan 28, 2013 at 1:28 PM, Alon Bar-Lev < >>>>>>> alonbl(a)redhat.com >>>>>>>> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> How do you installed the engine? you built? >>>>>>> Which exact version? >>>>>>> >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Dead Horse" < deadhorseconsulting(a)gmail.com > >>>>>>> >>>>>>> >>>>>>>> To: "Alon Bar-Lev" < alonbl(a)redhat.com > >>>>>>>> Cc: "users" < users(a)ovirt.org >, "Eli Mesika" < >>>>>>>> emesika(a)redhat.com >>>>>>>>> >>>>>>>> Sent: Monday, January 28, 2013 9:26:44 PM >>>>>>>> Subject: Re: [Users] engine Failed to decrypt Data >>>>>>>> error >>>>>>>> >>>>>>>> >>>>>>>> Password length is 11 characters and consists of Upper, >>>>>>>> Lower >>>>>>>> case >>>>>>>> and one special character. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Jan 28, 2013 at 1:20 PM, Alon Bar-Lev < >>>>>>>> alonbl(a)redhat.com >>>>>>>>> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> We tried to reproduce this. >>>>>>>> What password do you use? is there one with some great >>>>>>>> length? >>>>>>>> If not, Eli, we should send a debug patch for this. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Dead Horse" < deadhorseconsulting(a)gmail.com > >>>>>>>>> To: "< users(a)ovirt.org >" < users(a)ovirt.org > >>>>>>>>> Sent: Monday, January 28, 2013 9:16:20 PM >>>>>>>>> Subject: [Users] engine Failed to decrypt Data error >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I see this repeating error in the engine logs quite a >>>>>>>>> bit, >>>>>>>>> any >>>>>>>>> ideas >>>>>>>>> on what causes it? >>>>>>>>> >>>>>>>>> >>>>>>>>> 2013-01-28 13:13:40,483 ERROR >>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data >>>>>>>>> must >>>>>>>>> not >>>>>>>>> be >>>>>>>>> longer than 256 bytes >>>>>>>>> 2013-01-28 13:13:52,747 ERROR >>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>> (QuartzScheduler_Worker-81) Failed to decrypt Data >>>>>>>>> must >>>>>>>>> not >>>>>>>>> be >>>>>>>>> longer than 256 bytes >>>>>>>>> 2013-01-28 13:13:52,747 ERROR >>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>> (QuartzScheduler_Worker-84) Failed to decrypt >>>>>>>>> Blocktype >>>>>>>>> mismatch: >>>>>>>>> 0 >>>>>>>>> 2013-01-28 13:13:52,761 ERROR >>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>> (QuartzScheduler_Worker-85) Failed to decrypt Data >>>>>>>>> must >>>>>>>>> start >>>>>>>>> with >>>>>>>>> zero >>>>>>>>> 2013-01-28 13:14:00,964 ERROR >>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data >>>>>>>>> must >>>>>>>>> not >>>>>>>>> be >>>>>>>>> longer than 256 bytes >>>>>>>>> 2013-01-28 13:14:00,964 ERROR >>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>> (QuartzScheduler_Worker-20) Failed to decrypt Data >>>>>>>>> must >>>>>>>>> not >>>>>>>>> be >>>>>>>>> longer than 256 bytes >>>>>>>>> 2013-01-28 13:14:02,983 ERROR >>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>> (QuartzScheduler_Worker-29) Failed to decrypt Data >>>>>>>>> must >>>>>>>>> not >>>>>>>>> be >>>>>>>>> longer than 256 bytes >>>>>>>>> 2013-01-28 13:14:02,983 ERROR >>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>> (QuartzScheduler_Worker-34) Failed to decrypt Data >>>>>>>>> must >>>>>>>>> not >>>>>>>>> be >>>>>>>>> longer than 256 bytes >>>>>>>>> >>>>>>>>> >>>>>>>>> - DHC >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Users mailing list >>>>>>>>> Users(a)ovirt.org >>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>> >> > _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users