[Users] engine Failed to decrypt Data error

Juan Hernandez jhernand at redhat.com
Tue Jan 29 10:03:05 UTC 2013 

On 01/29/2013 10:00 AM, Eli Mesika wrote:
>
>
> ----- Original Message -----
>> From: "Alon Bar-Lev" <alonbl at redhat.com>
>> To: "Eli Mesika" <emesika at redhat.com>
>> Cc: "users" <users at ovirt.org>, "Dead Horse" <deadhorseconsulting at gmail.com>
>> Sent: Tuesday, January 29, 2013 10:40:59 AM
>> Subject: Re: [Users] engine Failed to decrypt Data error
>>
>>
>>
>> ----- Original Message -----
>>> From: "Eli Mesika" <emesika at redhat.com>
>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>> Cc: "users" <users at ovirt.org>, "Dead Horse"
>>> <deadhorseconsulting at gmail.com>
>>> Sent: Tuesday, January 29, 2013 10:33:04 AM
>>> Subject: Re: [Users] engine Failed to decrypt Data error
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
>>>> To: "Eli Mesika" <emesika at redhat.com>
>>>> Cc: "users" <users at ovirt.org>, "Dead Horse"
>>>> <deadhorseconsulting at gmail.com>
>>>> Sent: Monday, January 28, 2013 11:20:30 PM
>>>> Subject: Re: [Users] engine Failed to decrypt Data error
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Eli Mesika" <emesika at redhat.com>
>>>>> To: "Dead Horse" <deadhorseconsulting at gmail.com>
>>>>> Cc: "users" <users at ovirt.org>, "Alon Bar-Lev"
>>>>> <alonbl at redhat.com>
>>>>> Sent: Monday, January 28, 2013 11:16:16 PM
>>>>> Subject: Re: [Users] engine Failed to decrypt Data error
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Dead Horse" <deadhorseconsulting at gmail.com>
>>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>>>> Cc: "users" <users at ovirt.org>, "Eli Mesika"
>>>>>> <emesika at redhat.com>
>>>>>> Sent: Monday, January 28, 2013 11:04:53 PM
>>>>>> Subject: Re: [Users] engine Failed to decrypt Data error
>>>>>>
>>>>>>
>>>>>> psql -U engine -d engine -c "select * from vdc_options where
>>>>>> option_name in ('LocalAdminPassword', 'AdminPassword');"
>>>>>> option_id | option_name |
>>>>>>
>>>>>> option_value
>>>>>>
>>>>>> | version
>>>>>> -----------+--------------------+-----------------------------------------------
>>>>>> --------------------------------------------------------------------------------
>>>>>> --------------------------------------------------------------------------------
>>>>>> --------------------------------------------------------------------------------
>>>>>> -----------------------------------------------------------+---------
>>>>>> 127 | LocalAdminPassword |
>>>>>> KiG8670o1qXVX6omYsiCdaaXtQc/mGmr0qgLHqc8yykoRz
>>>>>> OwbfZzU9AxBYwYrJEwyqdq8c2ZwfGVvQ1YVIfGRspKLKogl59gBnwcQuk3al1K4Vtmr2hgWDtm5FBYd5
>>>>>> Nac4WIly4efjMCRjwrpPVkpAX55N8tGJ9LNzX8eRszQ4iVs8zivl0eu9SVhrB8tbHkA/+U5/vss26za8
>>>>>> X+AV67dtDzoD7ZS0eOT1Vx9vrOGHvDYU8tANEb29Et79CJ0whLOOEeuwTpkK1yZdF3PaWRbnTwXZUsB1
>>>>>> hMs9NLdo2ZxZOVSIK1E2mPh1WLybgIX1YB0Ra3BZvjAR9wPZz+jdfZng== |
>>>>>> general
>>>>>> 7 | AdminPassword |
>>>>>> AakmoHu69RmCWkSoVXLOv0cwzwGscXaM+HJAONRtSdECEA
>>>>>> VL+bjc1Lis6PHR1vBwdmhITxAvo2998pTJNusvtuTCODra40MTC+9p9+Oev4jWIbkncHH8gRdIKyvHuz
>>>>>> O6fNda50VXeWYhGNFIMavw15PlslutUWEpyNAasjEWyZ7cNyjKK2eFKNDZ3F5PCv9RcQXfXkKSveWm6M
>>>>>> 40zUVOx1ZjCnptNUpB4VYf5vW8LOpSL5NJpfJQmu36QbBRDDo3+3XPb4ELXA4t1rbPYw9Z7hRbk5Mbtq
>>>>>> qvOA7q4+G4nPtxHB7d6dYT2QJ58wgXUSIIoz/odvz5yVYeazIFS3Faww== |
>>>>>> general
>>>>>> (2 rows)
>>>>>
>>>>> Too long , supported values for encryption should be < 127
>>>>> characters
>>>>
>>>> Why too long? it should be 2048 RSA key.
>>>> And it is exactly 256 decoded.
>>> OK
>>> Didn't you say that practically it should be < 256 ?
>>
>> The encrypted blob is exactly 256 (keysize/8).
>> The plain text within that blob is at same length.
>> The PKCS#5 padding that we should use (or should have used) takes at
>> lease one byte from suffix, hence the <256, but this applies to the
>> plain text.
>>  From the exception we see that the java crypto provider complains we
>> provide a block >256 and key size of 2048, so there is something
>> wrong with the buffer we pass as it must be =256 bytes.
>
> That raises the chance of bug in the EncryptionUtils code , can you take a look ?

As the exceptions are coming from several different threads that are 
running in parallel I would look for a concurrency problem. In 
particular I would check the "Encoding" class. It seems to me that it 
uses the "Base64.decode(...)" method from multiple threads in an unsafe way.

>
>>
>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Jan 28, 2013 at 2:38 PM, Alon Bar-Lev <
>>>>>> alonbl at redhat.com
>>>>>>>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Dead Horse" < deadhorseconsulting at gmail.com >
>>>>>>> To: "Alon Bar-Lev" < alonbl at redhat.com >
>>>>>>> Cc: "users" < users at ovirt.org >, "Eli Mesika" <
>>>>>>> emesika at redhat.com
>>>>>>>>
>>>>>>
>>>>>>> Sent: Monday, January 28, 2013 10:35:34 PM
>>>>>>> Subject: Re: [Users] engine Failed to decrypt Data error
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>> was in the middle of a fresh engine setup which did not
>>>>>>> exhibit
>>>>>>> the
>>>>>>> symptom. However after running: "engine-config -s
>>>>>>> AdminPassword=interactive" and restarting the engine
>>>>>>> service
>>>>>>> on
>>>>>>> the
>>>>>>> clean setup the error message now shows up.
>>>>>>>
>>>>>>> - DHC
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> OK, at least it is related to the admin password.
>>>>>>
>>>>>> Please send me the output of:
>>>>>>
>>>>>> psql -U engine -d engine -c "select * from vdc_options where
>>>>>> option_name in ('LocalAdminPassword', 'AdminPassword');"
>>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>>
>>>>>>> On Mon, Jan 28, 2013 at 1:55 PM, Alon Bar-Lev <
>>>>>>> alonbl at redhat.com
>>>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Dead Horse" < deadhorseconsulting at gmail.com >
>>>>>>>> To: "Alon Bar-Lev" < alonbl at redhat.com >
>>>>>>>> Cc: "users" < users at ovirt.org >, "Eli Mesika" <
>>>>>>>> emesika at redhat.com
>>>>>>>>>
>>>>>>>
>>>>>>>> Sent: Monday, January 28, 2013 9:46:53 PM
>>>>>>>> Subject: Re: [Users] engine Failed to decrypt Data error
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> Current running engine build --> commit:
>>>>>>>> 61c11aecc40e755d08b6c34c6fe1c0a07fa94de8
>>>>>>>>
>>>>>>>> ran engine upgrade against the built rpms from that
>>>>>>>> commit.
>>>>>>>>
>>>>>>>>
>>>>>>>> Thus I applied it as an upgrade against prior running
>>>>>>>> build
>>>>>>>> -->
>>>>>>>> commit:
>>>>>>>> 1eb895355239bbcb7a7ceda172405f0b68f18f35
>>>>>>>
>>>>>>> [Please use plain text mails in lists.]
>>>>>>>
>>>>>>>
>>>>>>> Can you please patch EncryptionUtils.decrypt() with the
>>>>>>> following,
>>>>>>> so
>>>>>>> I can see what source is? source is encrypted blob, should
>>>>>>> not
>>>>>>> be
>>>>>>> a
>>>>>>> problem to send it.
>>>>>>>
>>>>>>> if (!StringHelper.isNullOrEmpty(source.trim())) {
>>>>>>> KeyStore store = EncryptionUtils.getKeyStore(keyFile,
>>>>>>> passwd,
>>>>>>> certType);
>>>>>>> Key key = store.getKey(alias, passwd.toCharArray());
>>>>>>> + log.info ("DEBUG001 " + source);
>>>>>>
>>>>>>
>>>>>>> result = decrypt(source, key);
>>>>>>>
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Jan 28, 2013 at 1:28 PM, Alon Bar-Lev <
>>>>>>>> alonbl at redhat.com
>>>>>>>>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> How do you installed the engine? you built?
>>>>>>>> Which exact version?
>>>>>>>>
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Dead Horse" < deadhorseconsulting at gmail.com >
>>>>>>>>
>>>>>>>>
>>>>>>>>> To: "Alon Bar-Lev" < alonbl at redhat.com >
>>>>>>>>> Cc: "users" < users at ovirt.org >, "Eli Mesika" <
>>>>>>>>> emesika at redhat.com
>>>>>>>>>>
>>>>>>>>> Sent: Monday, January 28, 2013 9:26:44 PM
>>>>>>>>> Subject: Re: [Users] engine Failed to decrypt Data
>>>>>>>>> error
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Password length is 11 characters and consists of Upper,
>>>>>>>>> Lower
>>>>>>>>> case
>>>>>>>>> and one special character.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Jan 28, 2013 at 1:20 PM, Alon Bar-Lev <
>>>>>>>>> alonbl at redhat.com
>>>>>>>>>>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> We tried to reproduce this.
>>>>>>>>> What password do you use? is there one with some great
>>>>>>>>> length?
>>>>>>>>> If not, Eli, we should send a debug patch for this.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> From: "Dead Horse" < deadhorseconsulting at gmail.com >
>>>>>>>>>> To: "< users at ovirt.org >" < users at ovirt.org >
>>>>>>>>>> Sent: Monday, January 28, 2013 9:16:20 PM
>>>>>>>>>> Subject: [Users] engine Failed to decrypt Data error
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I see this repeating error in the engine logs quite a
>>>>>>>>>> bit,
>>>>>>>>>> any
>>>>>>>>>> ideas
>>>>>>>>>> on what causes it?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2013-01-28 13:13:40,483 ERROR
>>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>>>>>>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data
>>>>>>>>>> must
>>>>>>>>>> not
>>>>>>>>>> be
>>>>>>>>>> longer than 256 bytes
>>>>>>>>>> 2013-01-28 13:13:52,747 ERROR
>>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>>>>>>>>> (QuartzScheduler_Worker-81) Failed to decrypt Data
>>>>>>>>>> must
>>>>>>>>>> not
>>>>>>>>>> be
>>>>>>>>>> longer than 256 bytes
>>>>>>>>>> 2013-01-28 13:13:52,747 ERROR
>>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>>>>>>>>> (QuartzScheduler_Worker-84) Failed to decrypt
>>>>>>>>>> Blocktype
>>>>>>>>>> mismatch:
>>>>>>>>>> 0
>>>>>>>>>> 2013-01-28 13:13:52,761 ERROR
>>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>>>>>>>>> (QuartzScheduler_Worker-85) Failed to decrypt Data
>>>>>>>>>> must
>>>>>>>>>> start
>>>>>>>>>> with
>>>>>>>>>> zero
>>>>>>>>>> 2013-01-28 13:14:00,964 ERROR
>>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>>>>>>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data
>>>>>>>>>> must
>>>>>>>>>> not
>>>>>>>>>> be
>>>>>>>>>> longer than 256 bytes
>>>>>>>>>> 2013-01-28 13:14:00,964 ERROR
>>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>>>>>>>>> (QuartzScheduler_Worker-20) Failed to decrypt Data
>>>>>>>>>> must
>>>>>>>>>> not
>>>>>>>>>> be
>>>>>>>>>> longer than 256 bytes
>>>>>>>>>> 2013-01-28 13:14:02,983 ERROR
>>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>>>>>>>>> (QuartzScheduler_Worker-29) Failed to decrypt Data
>>>>>>>>>> must
>>>>>>>>>> not
>>>>>>>>>> be
>>>>>>>>>> longer than 256 bytes
>>>>>>>>>> 2013-01-28 13:14:02,983 ERROR
>>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>>>>>>>>> (QuartzScheduler_Worker-34) Failed to decrypt Data
>>>>>>>>>> must
>>>>>>>>>> not
>>>>>>>>>> be
>>>>>>>>>> longer than 256 bytes
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> - DHC
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users at ovirt.org
>>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>


-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Users mailing list