SVT: Improve error message when password cannot be decrypted

[mtamboli]

Describe the bug
A clear and concise description of what the bug is. I am testing custom AES key as the feature is added to WebSphere/Open Liberty Operator.

I tried incorrect AES password which is not encrypted with provided AES key and I see below exceptions during startup and when accessing DB2. I think these exceptions are not clear and need to be updated. We need to clearly mentioned that password could not decrypted: AES algorithm is known to Liberty.

If there is a stack trace, please include the FULL stack trace (without any [internal classes] lines in it). To find the full stack trace, you may need to check in $WLP_OUTPUT_DIR/messages.log

[9/9/24, 20:55:20:285 UTC] 0000001e com.ibm.websphere.crypto.PasswordUtil                        E CWWKS1856E: The password was not processed because an unknown password algorithm exception was reported.
com.ibm.websphere.crypto.UnsupportedCryptoAlgorithmException
    at com.ibm.ws.crypto.util.PasswordCipherUtil.aesDecipher(PasswordCipherUtil.java:269)
    at com.ibm.ws.crypto.util.PasswordCipherUtil.decipher(PasswordCipherUtil.java:202)
    at com.ibm.websphere.crypto.PasswordUtil.decode_password(PasswordUtil.java:631)
    at com.ibm.websphere.crypto.PasswordUtil.passwordDecode(PasswordUtil.java:437)
    at com.ibm.ws.security.auth.data.internal.AuthDataImpl.activate(AuthDataImpl.java:49)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:245)
    at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41)
    at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:687)
    at org.apache.felix.scr.impl.inject.methods.BaseMethod.invoke(BaseMethod.java:531)
    at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:317)
    at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:307)

Steps to Reproduce

Steps to reproduce the bug I saw the problem for Liberty application deployed in OCP cluster but it is equivalent to below steps:

1. Setup Liberty server
2. Include custom encryption key in server.xml
3. Encrypt DB2 password as part of the auth alias (in server.xml) with a different key than above provided key

   ./securityUtility encode --encoding=aes --key=random db2passwd
   {aes}AAGhuS5d7ECi6wS3TpfZPwlWST1Y7w/lXdfLJzS1N29r

4. When I restart Liberty server, I see exception during startup: [9/9/24, 20:55:20:285 UTC] 0000001e com.ibm.websphere.crypto.PasswordUtil E CWWKS1856E: The password was not processed because an unknown password algorithm exception was reported.

Expected behavior
A clear and concise description of what you expected to happen. We need improved exception which says that provided password cannot be decrypted instead of unknown password algorithm

Diagnostic information:

• OpenLiberty Version: [e.g. 21.0.0.8 - 21.0.0.10]
• Affected feature(s) [e.g. mpHealth-3.0]
• Java Version: [i.e. full output of java -version]
• server.xml configuration (WITHOUT sensitive information like passwords)
• If it would be useful, upload the messages.log file found in $WLP_OUTPUT_DIR/messages.log

Liberty version 24.0.0.8 Eclipse OpenJ9 VM, version 17.0.8.1+1 (en_US)

Additional context
Add any other context about the problem here.

[mtamboli]

FYI, @arkarkala @leochr @jgawor

[Zech-Hein]

Hi Monica,

I agree, we can improve the message here The password was not processed because an unknown password algorithm exception was reported. UnsupportedCryptoAlgorithmException... is not very helpful.

Perhaps we could say something like Unable to decode the {AES} password, this may be due to the password being encoded using a different encryption key or there is a typo in the encoded password value. Ensure the wlp.password.encryption.key property is set to the same value that was used to encode the password

[mtamboli]

Hi Monica,

I agree, we can improve the message here The password was not processed because an unknown password algorithm exception was reported. UnsupportedCryptoAlgorithmException... is not very helpful.

Perhaps we could say something like Unable to decode the {AES} password, this may be due to the password being encoded using a different encryption key or there is a typo in the encoded password value. Ensure the wlp.password.encryption.key property is set to the same value that was used to encode the password

I like your suggestion for the new message. Thank you for looking into this.