Re: [Users] engine Failed to decrypt Data error

From: "Juan Hernandez" <jhernand(a)redhat.com&gt; To: "Eli Mesika" <emesika(a)redhat.com&gt; Cc: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, "users" <users(a)ovirt.org&gt; Sent: Tuesday, January 29, 2013 12:03:05 PM Subject: Re: [Users] engine Failed to decrypt Data error On 01/29/2013 10:00 AM, Eli Mesika wrote: > > > ----- Original Message ----- >> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> To: "Eli Mesika" <emesika(a)redhat.com&gt; >> Cc: "users" <users(a)ovirt.org&gt;, "Dead Horse" >> <deadhorseconsulting(a)gmail.com&gt; >> Sent: Tuesday, January 29, 2013 10:40:59 AM >> Subject: Re: [Users] engine Failed to decrypt Data error >> >> >> >> ----- Original Message ----- >>> From: "Eli Mesika" <emesika(a)redhat.com&gt; >>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>> Cc: "users" <users(a)ovirt.org&gt;, "Dead Horse" >>> <deadhorseconsulting(a)gmail.com&gt; >>> Sent: Tuesday, January 29, 2013 10:33:04 AM >>> Subject: Re: [Users] engine Failed to decrypt Data error >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>> To: "Eli Mesika" <emesika(a)redhat.com&gt; >>>> Cc: "users" <users(a)ovirt.org&gt;, "Dead Horse" >>>> <deadhorseconsulting(a)gmail.com&gt; >>>> Sent: Monday, January 28, 2013 11:20:30 PM >>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>> >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Eli Mesika" <emesika(a)redhat.com&gt; >>>>> To: "Dead Horse" <deadhorseconsulting(a)gmail.com&gt; >>>>> Cc: "users" <users(a)ovirt.org&gt;, "Alon Bar-Lev" >>>>> <alonbl(a)redhat.com&gt; >>>>> Sent: Monday, January 28, 2013 11:16:16 PM >>>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>>> >>>>> >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Dead Horse" <deadhorseconsulting(a)gmail.com&gt; >>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>> Cc: "users" <users(a)ovirt.org&gt;, "Eli Mesika" >>>>>> <emesika(a)redhat.com&gt; >>>>>> Sent: Monday, January 28, 2013 11:04:53 PM >>>>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>>>> >>>>>> >>>>>> psql -U engine -d engine -c "select * from vdc_options where >>>>>> option_name in ('LocalAdminPassword', 'AdminPassword');" >>>>>> option_id | option_name | >>>>>> >>>>>> option_value >>>>>> >>>>>> | version >>>>>> -----------+--------------------+----------------------------------------------- >>>>>> -------------------------------------------------------------------------------- >>>>>> -------------------------------------------------------------------------------- >>>>>> -------------------------------------------------------------------------------- >>>>>> -----------------------------------------------------------+--------- >>>>>> 127 | LocalAdminPassword | >>>>>> KiG8670o1qXVX6omYsiCdaaXtQc/mGmr0qgLHqc8yykoRz >>>>>> OwbfZzU9AxBYwYrJEwyqdq8c2ZwfGVvQ1YVIfGRspKLKogl59gBnwcQuk3al1K4Vtmr2hgWDtm5FBYd5 >>>>>> Nac4WIly4efjMCRjwrpPVkpAX55N8tGJ9LNzX8eRszQ4iVs8zivl0eu9SVhrB8tbHkA/+U5/vss26za8 >>>>>> X+AV67dtDzoD7ZS0eOT1Vx9vrOGHvDYU8tANEb29Et79CJ0whLOOEeuwTpkK1yZdF3PaWRbnTwXZUsB1 >>>>>> hMs9NLdo2ZxZOVSIK1E2mPh1WLybgIX1YB0Ra3BZvjAR9wPZz+jdfZng== | >>>>>> general >>>>>> 7 | AdminPassword | >>>>>> AakmoHu69RmCWkSoVXLOv0cwzwGscXaM+HJAONRtSdECEA >>>>>> VL+bjc1Lis6PHR1vBwdmhITxAvo2998pTJNusvtuTCODra40MTC+9p9+Oev4jWIbkncHH8gRdIKyvHuz >>>>>> O6fNda50VXeWYhGNFIMavw15PlslutUWEpyNAasjEWyZ7cNyjKK2eFKNDZ3F5PCv9RcQXfXkKSveWm6M >>>>>> 40zUVOx1ZjCnptNUpB4VYf5vW8LOpSL5NJpfJQmu36QbBRDDo3+3XPb4ELXA4t1rbPYw9Z7hRbk5Mbtq >>>>>> qvOA7q4+G4nPtxHB7d6dYT2QJ58wgXUSIIoz/odvz5yVYeazIFS3Faww== | >>>>>> general >>>>>> (2 rows) >>>>> >>>>> Too long , supported values for encryption should be < 127 >>>>> characters >>>> >>>> Why too long? it should be 2048 RSA key. >>>> And it is exactly 256 decoded. >>> OK >>> Didn't you say that practically it should be < 256 ? >> >> The encrypted blob is exactly 256 (keysize/8). >> The plain text within that blob is at same length. >> The PKCS#5 padding that we should use (or should have used) takes >> at >> lease one byte from suffix, hence the <256, but this applies to >> the >> plain text. >> From the exception we see that the java crypto provider complains >> we >> provide a block >256 and key size of 2048, so there is something >> wrong with the buffer we pass as it must be =256 bytes. > > That raises the chance of bug in the EncryptionUtils code , can you > take a look ? As the exceptions are coming from several different threads that are running in parallel I would look for a concurrency problem. In particular I would check the "Encoding" class. It seems to me that it uses the "Base64.decode(...)" method from multiple threads in an unsafe way.

> >> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Jan 28, 2013 at 2:38 PM, Alon Bar-Lev < >>>>>> alonbl(a)redhat.com >>>>>>> >>>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Dead Horse" < deadhorseconsulting(a)gmail.com > >>>>>>> To: "Alon Bar-Lev" < alonbl(a)redhat.com > >>>>>>> Cc: "users" < users(a)ovirt.org >, "Eli Mesika" < >>>>>>> emesika(a)redhat.com >>>>>>>> >>>>>> >>>>>>> Sent: Monday, January 28, 2013 10:35:34 PM >>>>>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>>> was in the middle of a fresh engine setup which did not >>>>>>> exhibit >>>>>>> the >>>>>>> symptom. However after running: "engine-config -s >>>>>>> AdminPassword=interactive" and restarting the engine >>>>>>> service >>>>>>> on >>>>>>> the >>>>>>> clean setup the error message now shows up. >>>>>>> >>>>>>> - DHC >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> OK, at least it is related to the admin password. >>>>>> >>>>>> Please send me the output of: >>>>>> >>>>>> psql -U engine -d engine -c "select * from vdc_options where >>>>>> option_name in ('LocalAdminPassword', 'AdminPassword');" >>>>>> >>>>>> >>>>>> Thanks! >>>>>> >>>>>>> >>>>>>> On Mon, Jan 28, 2013 at 1:55 PM, Alon Bar-Lev < >>>>>>> alonbl(a)redhat.com >>>>>>>> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Dead Horse" < deadhorseconsulting(a)gmail.com > >>>>>>>> To: "Alon Bar-Lev" < alonbl(a)redhat.com > >>>>>>>> Cc: "users" < users(a)ovirt.org >, "Eli Mesika" < >>>>>>>> emesika(a)redhat.com >>>>>>>>> >>>>>>> >>>>>>>> Sent: Monday, January 28, 2013 9:46:53 PM >>>>>>>> Subject: Re: [Users] engine Failed to decrypt Data error >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>>> Current running engine build --> commit: >>>>>>>> 61c11aecc40e755d08b6c34c6fe1c0a07fa94de8 >>>>>>>> >>>>>>>> ran engine upgrade against the built rpms from that >>>>>>>> commit. >>>>>>>> >>>>>>>> >>>>>>>> Thus I applied it as an upgrade against prior running >>>>>>>> build >>>>>>>> --> >>>>>>>> commit: >>>>>>>> 1eb895355239bbcb7a7ceda172405f0b68f18f35 >>>>>>> >>>>>>> [Please use plain text mails in lists.] >>>>>>> >>>>>>> >>>>>>> Can you please patch EncryptionUtils.decrypt() with the >>>>>>> following, >>>>>>> so >>>>>>> I can see what source is? source is encrypted blob, should >>>>>>> not >>>>>>> be >>>>>>> a >>>>>>> problem to send it. >>>>>>> >>>>>>> if (!StringHelper.isNullOrEmpty(source.trim())) { >>>>>>> KeyStore store = EncryptionUtils.getKeyStore(keyFile, >>>>>>> passwd, >>>>>>> certType); >>>>>>> Key key = store.getKey(alias, passwd.toCharArray()); >>>>>>> + log.info ("DEBUG001 " + source); >>>>>> >>>>>> >>>>>>> result = decrypt(source, key); >>>>>>> >>>>>>> >>>>>>> } >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Jan 28, 2013 at 1:28 PM, Alon Bar-Lev < >>>>>>>> alonbl(a)redhat.com >>>>>>>>> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> How do you installed the engine? you built? >>>>>>>> Which exact version? >>>>>>>> >>>>>>>> >>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Dead Horse" < deadhorseconsulting(a)gmail.com > >>>>>>>> >>>>>>>> >>>>>>>>> To: "Alon Bar-Lev" < alonbl(a)redhat.com > >>>>>>>>> Cc: "users" < users(a)ovirt.org >, "Eli Mesika" < >>>>>>>>> emesika(a)redhat.com >>>>>>>>>> >>>>>>>>> Sent: Monday, January 28, 2013 9:26:44 PM >>>>>>>>> Subject: Re: [Users] engine Failed to decrypt Data >>>>>>>>> error >>>>>>>>> >>>>>>>>> >>>>>>>>> Password length is 11 characters and consists of Upper, >>>>>>>>> Lower >>>>>>>>> case >>>>>>>>> and one special character. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Jan 28, 2013 at 1:20 PM, Alon Bar-Lev < >>>>>>>>> alonbl(a)redhat.com >>>>>>>>>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> We tried to reproduce this. >>>>>>>>> What password do you use? is there one with some great >>>>>>>>> length? >>>>>>>>> If not, Eli, we should send a debug patch for this. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>>> From: "Dead Horse" < deadhorseconsulting(a)gmail.com > >>>>>>>>>> To: "< users(a)ovirt.org >" < users(a)ovirt.org > >>>>>>>>>> Sent: Monday, January 28, 2013 9:16:20 PM >>>>>>>>>> Subject: [Users] engine Failed to decrypt Data error >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I see this repeating error in the engine logs quite a >>>>>>>>>> bit, >>>>>>>>>> any >>>>>>>>>> ideas >>>>>>>>>> on what causes it? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2013-01-28 13:13:40,483 ERROR >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data >>>>>>>>>> must >>>>>>>>>> not >>>>>>>>>> be >>>>>>>>>> longer than 256 bytes >>>>>>>>>> 2013-01-28 13:13:52,747 ERROR >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>>> (QuartzScheduler_Worker-81) Failed to decrypt Data >>>>>>>>>> must >>>>>>>>>> not >>>>>>>>>> be >>>>>>>>>> longer than 256 bytes >>>>>>>>>> 2013-01-28 13:13:52,747 ERROR >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>>> (QuartzScheduler_Worker-84) Failed to decrypt >>>>>>>>>> Blocktype >>>>>>>>>> mismatch: >>>>>>>>>> 0 >>>>>>>>>> 2013-01-28 13:13:52,761 ERROR >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>>> (QuartzScheduler_Worker-85) Failed to decrypt Data >>>>>>>>>> must >>>>>>>>>> start >>>>>>>>>> with >>>>>>>>>> zero >>>>>>>>>> 2013-01-28 13:14:00,964 ERROR >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data >>>>>>>>>> must >>>>>>>>>> not >>>>>>>>>> be >>>>>>>>>> longer than 256 bytes >>>>>>>>>> 2013-01-28 13:14:00,964 ERROR >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>>> (QuartzScheduler_Worker-20) Failed to decrypt Data >>>>>>>>>> must >>>>>>>>>> not >>>>>>>>>> be >>>>>>>>>> longer than 256 bytes >>>>>>>>>> 2013-01-28 13:14:02,983 ERROR >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>>> (QuartzScheduler_Worker-29) Failed to decrypt Data >>>>>>>>>> must >>>>>>>>>> not >>>>>>>>>> be >>>>>>>>>> longer than 256 bytes >>>>>>>>>> 2013-01-28 13:14:02,983 ERROR >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>>>>>>> (QuartzScheduler_Worker-34) Failed to decrypt Data >>>>>>>>>> must >>>>>>>>>> not >>>>>>>>>> be >>>>>>>>>> longer than 256 bytes >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> - DHC >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Users mailing list >>>>>>>>>> Users(a)ovirt.org >>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.