search

eclipse-ee4j / eclipselink

Eclipselink project
https://eclipse.dev/eclipselink/
Other
199 stars 169 forks source link

StreamCorruptedException thrown when using a password which resembles a hex string #885

Open jbrunclik opened 4 years ago

jbrunclik commented 4 years ago

When we try to use certain passwords which resemble a hex string to access a PostgreSQL database, EclipseLink bails out with the following exception:

2020-08-24_13:08:54.41964 Exception Description: Error encountered during string decryption.
--
2020-08-24_13:08:54.41964 Internal Exception: java.io.StreamCorruptedException: invalid stream header: 08B985D7
2020-08-24_13:08:54.41965       at org.eclipse.persistence.exceptions.ValidationException.errorDecryptingPassword(ValidationException.java:896)
2020-08-24_13:08:54.41965       at org.eclipse.persistence.internal.security.JCEEncryptor.decryptPassword(JCEEncryptor.java:133)
2020-08-24_13:08:54.41966       at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.updateLogins(EntityManagerSetupImpl.java:2473)
2020-08-24_13:08:54.41966       at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.updateSession(EntityManagerSetupImpl.java:2785)
2020-08-24_13:08:54.41966       at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:746)
2020-08-24_13:08:54.41966       ... 57 more
2020-08-24_13:08:54.41966 Caused by: java.io.StreamCorruptedException: invalid stream header: 08B985D7
2020-08-24_13:08:54.41967       at java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:918)
2020-08-24_13:08:54.41967       at java.io.ObjectInputStream.<init>(ObjectInputStream.java:376)
2020-08-24_13:08:54.41967       at org.eclipse.persistence.internal.security.JCEEncryptor.decryptPassword(JCEEncryptor.java:123)
2020-08-24_13:08:54.41967       ... 60 more
2020-08-24_13:08:54.41967

Examples of passwords causing the above behavior are:

It looks like catching java.io.StreamCorruptedException in the decryptPassword function could help to achieve the desired result (i.e. using the password as a literal string rather than trying to decrypt it).

lukasj commented 4 years ago

what does java -jar eclipselink.jar (or log) say about eclipselink version being used?

graywolf-at-work commented 4 years ago

Based on pom.xml I think we are using version 2.7.3. But based on our investigation, code in master is exactly the same, so it should not matter.

lukasj commented 4 years ago

the same class exists also in older versions where the code is different. How is one supposed to know the one in use without asking? Btw thanks for additional details