Feature #2652
closed

Create a task to generate new initialization vector for values in the confidential storage
100%
Description
Following #2355, we need some easy way to generate new initialization vector for existing values in the confidential storage. Please create a LRT, or script, which will do this.
This will be used for projects, which are upgraded from a version < 10.6. The values used hardcoded initialization vector, which is a security issue.
Note:
The following message can be seen when IdM uses hardcoded IV:
2021-01-20 16:44:24.129 WARN 206299 --- [http-nio-8080-exec-3] e.b.i.c.s.s.impl.DefaultCryptService.decrypt : IdM use old behavior with static vector. Please don't use this deprecated method.
Related issues
Updated by Alena Peterová almost 4 years ago
- Related to Task #2355: Confidential storage cipher uses hardcoded initialization vector added
Updated by Alena Peterová almost 4 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 60
The task was created in apeterova/2652-generate-initialization-vector-task, some little things and documentation remains.
I chose a task over a groovy script, because the classes working with the confidential storage are not ScriptEnabled and I don't want to make such changes in them.
Tested in my local environment for 30 000 confidential configuration properties, the task took 3 resp. 5 minutes (depending if it logged the processed items).
These numbers are from one large project:
select count(*), owner_type from idm_confidential_storage group by owner_type; count | owner_type -------+--------------------------------------------------------- 33 | eu.bcvsolutions.idm.acc.entity.SysSystemFormValue 34559 | eu.bcvsolutions.idm.acc.entity.SysProvisioningOperation 815 | eu.bcvsolutions.idm.core.model.entity.IdmIdentity 4 | eu.bcvsolutions.idm.core.model.entity.IdmConfiguration
Updated by Alena Peterová almost 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Alena Peterová to Radek Tomiška
- % Done changed from 60 to 90
I made some adjustments and tested locally also for a value encrypted in the original way (with static initialization vector and null value in the DB). The integration test is in the existing class DefaultIdmConfidentialStorageIntegrationTest.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/d402bd0682633d0668e63879c561847d7a27ae10
Documentation (admin, the link for this was added also to the Changelog): https://wiki.czechidm.com/devel/documentation/adm/confidential_storage#generate_initialization_vectors
Documentation (dev): https://wiki.czechidm.com/devel/documentation/application_configuration/dev/scheduled_tasks/task-scheduler#generateconfidentialstorageinitializationvectorstaskexecutor
Could you please provide me a feedback?
Updated by Radek Tomiška almost 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Radek Tomiška to Alena Peterová
- % Done changed from 90 to 100
I did test and code review, it's awesome, thx!
Note: Merged into develop (without a change), nice :)
Updated by Radek Tomiška almost 4 years ago
- Status changed from Resolved to Closed