Jasypt encryption is broken.

[nleach999]

Description

Jasypt encryption configuration appears to be broken and it appears it has been broken for a long time. Following the configuration instructions in the wiki at the time it was written did work. I tested back to v1.5.4 and the application would not start without the additional configs/workaround.

Expected Behavior

With a Jasypt configuration like this:

jasypt:
  encryptor:
    password: <password>
    algorithm: PBEWITHHMACSHA512ANDAES_256

and an encrypted value generated per the instructions on the wiki like so:

..snip...

checkmarx:
  version: 9.0
  client-id: resource_owner_client
  scope: access_control_api sast_rest_api  
  username: <username>
  password: ENC(qKXVyDhIYnl55GiIajsYF4HH1g+LlW5X7q5cNWT4VJavEiDmVcttPFjxt6Bato7DtpZWFmRqIJkkGU2bhwZyDQ==)

...snip...

CxFlow should start and be able to decrypt the encrypted value without needing to provide values that are used for Jasypt encryption (since at runtime CxFlow should only be decrypting).

Actual Behavior

v1.6.34 freezes on start, v1.6.33 and prior exit the application with a message that the password field can't be bound.

Reproduction

v1.6.34

CxFlow 1.6.34 freezes on startup. The last log line with org.springframework.core.env logging set to TRACE is:

2022-06-21 13:40:19.645 TRACE 17 --- [           main] o.s.c.e.PropertySourcesPropertyResolver   [] : Searching for key 'jasypt.encryptor.provider-class-name' in PropertySource 'configurationProperties'

I attempted to add this missing value (and others) into the yaml config after noticing that Jasypt appears to be looking for several values at start. Adding "missing" config values in v1.6.34 does not work. For v.1.6.34, the only way I could get it to work was to pass the configuration values Jasypt wants on the command line. This is a workaround, but not always ideal:

java -jar <cxflow> --jasypt.encryptor.provider-class-name=com.sun.crypto.provider.SunJCE --jasypt.encryptor.iv-generator-classname=org.jasypt.iv.RandomIvGenerator --jasypt.encryptor.provider-name=SunJCE --jasypt.encryptor.string-output-type=base64

Without these options passed on the command line, v1.6.34 freezes on startup.

v1.6.33 (and prior)

Startup of v1.6.33 without any additional Jasypt options ends CxFlow execution with this message:

***************************
APPLICATION FAILED TO START
***************************

Description:

Failed to bind properties under 'checkmarx.password' to java.lang.String:

Reason: org.springframework.boot.context.properties.bind.BindException: Failed to bind properties under 'checkmarx.password' to java.lang.String

Action:

Update your application's configuration

Placing the "missing" Jasypt values in the configuration yaml (as below) allows it to start:

jasypt:
  encryptor:
    password: <password>
    algorithm: PBEWITHHMACSHA512ANDAES_256
    provider-class-name: com.sun.crypto.provider.SunJCE
    iv-generator-classname: org.jasypt.iv.RandomIvGenerator
    provider-name: SunJCE
    string-output-type: base64

Environment Details

CxFlow v1.6.34 and v.16.33

openjdk version "11.0.15" 2022-04-19
OpenJDK Runtime Environment (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
OpenJDK 64-Bit Server VM (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)

[cx-scord]

@umeshwaghode @nleach999

Is this still an issue? Does this still need a fix?

[nleach999]

@cx-scord I have not tried this with any of the latest releases. I would assume it still has an issue.

[satyamchaurasiapersistent]

Hi @cx-scord We have run jasypt encryption on latest cxflow and if we provide proper passphrase and algorithm in double quotes in CLI mode --jasypt.encryptor.password="abcd" --jasypt.encryptor.algorithm="PBEWithMD5AndDES" It's working fine.

[satyamchaurasiapersistent]

Please make sure if you are using any online tool for encrypting password please be sure which algorithm they are using for encryption or decryption.