Project

General

Profile

Feature #2652

Create a task to generate new initialization vector for values in the confidential storage

Added by Alena Peterová about 2 months ago. Updated 3 days ago.

Status:
Closed
Priority:
Normal
Category:
Confidential Storage
Target version:
Start date:
01/21/2021
Due date:
% Done:

100%

Estimated time:
Milestones:

Description

Following #2355, we need some easy way to generate new initialization vector for existing values in the confidential storage. Please create a LRT, or script, which will do this.
This will be used for projects, which are upgraded from a version < 10.6. The values used hardcoded initialization vector, which is a security issue.


Note:
The following message can be seen when IdM uses hardcoded IV:

2021-01-20 16:44:24.129  WARN 206299 --- [http-nio-8080-exec-3] e.b.i.c.s.s.impl.DefaultCryptService.decrypt : IdM use old behavior with static vector. Please don't use this deprecated method.


Related issues

Related to CzechIdM - Task #2355: Confidential storage cipher uses hardcoded initialization vectorClosed07/01/202009/16/2020

History

#1 Updated by Alena Peterová about 2 months ago

  • Related to Task #2355: Confidential storage cipher uses hardcoded initialization vector added

#2 Updated by Radek Tomiška about 2 months ago

  • Assignee deleted (Radek Tomiška)

#3 Updated by Radek Tomiška 25 days ago

  • Assignee set to Alena Peterová

#4 Updated by Alena Peterová 15 days ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 60

The task was created in apeterova/2652-generate-initialization-vector-task, some little things and documentation remains.
I chose a task over a groovy script, because the classes working with the confidential storage are not ScriptEnabled and I don't want to make such changes in them.

Tested in my local environment for 30 000 confidential configuration properties, the task took 3 resp. 5 minutes (depending if it logged the processed items).

These numbers are from one large project:

select count(*), owner_type from idm_confidential_storage group by owner_type;
 count |                       owner_type                        
-------+---------------------------------------------------------
    33 | eu.bcvsolutions.idm.acc.entity.SysSystemFormValue
 34559 | eu.bcvsolutions.idm.acc.entity.SysProvisioningOperation
   815 | eu.bcvsolutions.idm.core.model.entity.IdmIdentity
     4 | eu.bcvsolutions.idm.core.model.entity.IdmConfiguration

#5 Updated by Alena Peterová 14 days ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Alena Peterová to Radek Tomiška
  • % Done changed from 60 to 90

I made some adjustments and tested locally also for a value encrypted in the original way (with static initialization vector and null value in the DB). The integration test is in the existing class DefaultIdmConfidentialStorageIntegrationTest.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/d402bd0682633d0668e63879c561847d7a27ae10

Documentation (admin, the link for this was added also to the Changelog): https://wiki.czechidm.com/devel/documentation/adm/confidential_storage#generate_initialization_vectors
Documentation (dev): https://wiki.czechidm.com/devel/documentation/application_configuration/dev/scheduled_tasks/task-scheduler#generateconfidentialstorageinitializationvectorstaskexecutor

Could you please provide me a feedback?

#6 Updated by Radek Tomiška 11 days ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Radek Tomiška to Alena Peterová
  • % Done changed from 90 to 100

I did test and code review, it's awesome, thx!

Note: Merged into develop (without a change), nice :)

#7 Updated by Radek Tomiška 3 days ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top