Create a task to generate new initialization vector for values in the confidential storage
Following #2355, we need some easy way to generate new initialization vector for existing values in the confidential storage. Please create a LRT, or script, which will do this.
This will be used for projects, which are upgraded from a version < 10.6. The values used hardcoded initialization vector, which is a security issue.
The following message can be seen when IdM uses hardcoded IV:
2021-01-20 16:44:24.129 WARN 206299 --- [http-nio-8080-exec-3] e.b.i.c.s.s.impl.DefaultCryptService.decrypt : IdM use old behavior with static vector. Please don't use this deprecated method.
#4 Updated by Alena Peterová 5 months ago
- Status changed from New to In Progress
- % Done changed from 0 to 60
The task was created in apeterova/2652-generate-initialization-vector-task, some little things and documentation remains.
I chose a task over a groovy script, because the classes working with the confidential storage are not ScriptEnabled and I don't want to make such changes in them.
Tested in my local environment for 30 000 confidential configuration properties, the task took 3 resp. 5 minutes (depending if it logged the processed items).
These numbers are from one large project:
select count(*), owner_type from idm_confidential_storage group by owner_type; count | owner_type -------+--------------------------------------------------------- 33 | eu.bcvsolutions.idm.acc.entity.SysSystemFormValue 34559 | eu.bcvsolutions.idm.acc.entity.SysProvisioningOperation 815 | eu.bcvsolutions.idm.core.model.entity.IdmIdentity 4 | eu.bcvsolutions.idm.core.model.entity.IdmConfiguration
#5 Updated by Alena Peterová 5 months ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Alena Peterová to Radek Tomiška
- % Done changed from 60 to 90
I made some adjustments and tested locally also for a value encrypted in the original way (with static initialization vector and null value in the DB). The integration test is in the existing class DefaultIdmConfidentialStorageIntegrationTest.
Documentation (admin, the link for this was added also to the Changelog): https://wiki.czechidm.com/devel/documentation/adm/confidential_storage#generate_initialization_vectors
Documentation (dev): https://wiki.czechidm.com/devel/documentation/application_configuration/dev/scheduled_tasks/task-scheduler#generateconfidentialstorageinitializationvectorstaskexecutor
Could you please provide me a feedback?