Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-12272

Decrypting master key does not decrypt user's private keys

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.11.1
    • Fix Version/s: 4.12.0
    • Component/s: Security
    • Labels:
      None

      Description

      Decrypting the master key in the UI will not decrypt user's encrypted private keys. This can cause an error for users trying to get new authentication keys (with NPM for example). When they do, they get this error:

      2016-08-16 10:36:30,952 [http-nio-8081-exec-2] [ERROR] (o.a.r.c.e.GlobalExceptionMapper:48) - Cannot decode encrypted key pair without master wrapper for Encoded key ['AReXXXXXXXX_485','AU8XXXXXXXX_136']
      java.lang.IllegalStateException: Cannot decode encrypted key pair without master wrapper for Encoded key ['AReXXXXXXXX_485','AU8XXXXXXXX_136']
      	at org.jfrog.security.crypto.EncodedKeyPair.decode(EncodedKeyPair.java:61) ~[jfrog-crypto-1.0.0.jar:na]
      	at org.jfrog.security.crypto.JFrogCryptoHelper.createKeyWrapper(JFrogCryptoHelper.java:77) ~[jfrog-crypto-1.0.0.jar:na]
      	at org.artifactory.security.SecurityServiceImpl.createEncryptedPasswordIfNeeded(SecurityServiceImpl.java:1432) ~[artifactory-core-4.11.0.jar:na]
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_101]
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_101]
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_101]
      	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_101]
      	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) ~[spring-aop-4.1.5.RELEASE.jar:4.1.5.RELEASE]
      	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:201) ~[spring-aop-4.1.5.RELEASE.jar:4.1.5.RELEASE]
      	at com.sun.proxy.$Proxy24.createEncryptedPasswordIfNeeded(Unknown Source) ~[na:na]
      	at org.artifactory.ui.rest.service.admin.security.user.userprofile.UnlockUserProfileService.updateUserInfo(UnlockUserProfileService.java:123) ~[artifactory-rest-ui-4.11.0.jar:na]
      	at org.artifactory.ui.rest.service.admin.security.user.userprofile.UnlockUserProfileService.getUserProfile(UnlockUserProfileService.java:101) ~[artifactory-rest-ui-4.11.0.jar:na]
      	at org.artifactory.ui.rest.service.admin.security.user.userprofile.UnlockUserProfileService.fetchUserProfile(UnlockUserProfileService.java:88) ~[artifactory-rest-ui-4.11.0.jar:na]
      	at org.artifactory.ui.rest.service.admin.security.user.userprofile.UnlockUserProfileService.execute(UnlockUserProfileService.java:67) ~[artifactory-rest-ui-4.11.0.jar:na]
      	at org.artifactory.rest.common.service.ServiceExecutor.process(ServiceExecutor.java:38) ~[artifactory-rest-common-4.11.0.jar:na]
      	at org.artifactory.rest.common.resource.BaseResource.runService(BaseResource.java:92) ~[artifactory-rest-common-4.11.0.jar:na]
      	at org.artifactory.ui.rest.resource.admin.security.user.UserProfileResource.unlockUserProfile(UserProfileResource.java:55) ~[artifactory-rest-ui-4.11.0.jar:na]
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_101]
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_101]
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_101]
      	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_101]
      	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) ~[jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205) ~[jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) ~[jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) ~[jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) ~[jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) ~[jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) ~[jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542) [jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473) [jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) [jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) [jersey-server-1.19.jar:1.19]
      	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409) [jersey-servlet-1.19.jar:1.19]
      	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558) [jersey-servlet-1.19.jar:1.19]
      	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733) [jersey-servlet-1.19.jar:1.19]
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) [servlet-api.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [catalina.jar:8.0.32]
      	at org.artifactory.webapp.servlet.RepoFilter.execute(RepoFilter.java:200) [artifactory-web-application-4.11.0.jar:na]
      	at org.artifactory.webapp.servlet.RepoFilter.doFilter(RepoFilter.java:91) [artifactory-web-application-4.11.0.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [catalina.jar:8.0.32]
      	at org.artifactory.webapp.servlet.AccessFilter.useAuthentication(AccessFilter.java:381) [artifactory-web-application-4.11.0.jar:na]
      	at org.artifactory.webapp.servlet.AccessFilter.doFilterInternal(AccessFilter.java:203) [artifactory-web-application-4.11.0.jar:na]
      	at org.artifactory.webapp.servlet.AccessFilter.doFilter(AccessFilter.java:157) [artifactory-web-application-4.11.0.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [catalina.jar:8.0.32]
      	at org.artifactory.webapp.servlet.RequestFilter.doFilter(RequestFilter.java:61) [artifactory-web-application-4.11.0.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [catalina.jar:8.0.32]
      	at org.artifactory.webapp.servlet.ArtifactoryFilter.doFilter(ArtifactoryFilter.java:111) [artifactory-web-application-4.11.0.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [catalina.jar:8.0.32]
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.0.32]
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [catalina.jar:8.0.32]
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) [catalina.jar:8.0.32]
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) [tomcat-coyote.jar:8.0.32]
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) [tomcat-coyote.jar:8.0.32]
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-coyote.jar:8.0.32]
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-coyote.jar:8.0.32]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_101]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_101]
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.32]
      	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
      

      Steps to reproduce:
      1) Make sure your master key is encrypted
      2) Create a user in 4.9.0 - 4.11.1
      3) Unlock the user so it has an encrypted password
      4) Decrypt the master key
      5) Log in as the new user and try to unlock the user, stacktrace happens

        Attachments

          Activity

            People

            • Assignee:
              shayy Shay Yaakov (Inactive)
              Reporter:
              aaronr Aaron Rhodes
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: