Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25937

"Given final block not properly padded" after deleting master.key after Java security update

    Details

    • Similar Issues:

      Description

      Recently core tests have started failing:

      https://jenkins.ci.cloudbees.com/job/core/job/jenkins-core-validated-merge/307/testReport/junit/jenkins.security/DefaultConfidentialStoreTest/roundtrip/

      java.io.IOException: javax.crypto.BadPaddingException: Given final block not properly padded
      	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811)
      	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
      	at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:313)
      	at javax.crypto.Cipher.doFinal(Cipher.java:1970)
      	at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:112)
      	at javax.crypto.CipherInputStream.read(CipherInputStream.java:233)
      	at javax.crypto.CipherInputStream.read(CipherInputStream.java:209)
      	at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1792)
      	at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1769)
      	at org.apache.commons.io.IOUtils.copy(IOUtils.java:1744)
      	at org.apache.commons.io.IOUtils.toByteArray(IOUtils.java:462)
      	at jenkins.security.DefaultConfidentialStore.load(DefaultConfidentialStore.java:106)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoCachedMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:230)
      	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
      	at jenkins.security.DefaultConfidentialStoreTest.roundtrip(DefaultConfidentialStoreTest.groovy:52)
      

      This is reproducible when the test is run on Java 8, but not 7. It looks like a real bug, not just a test failure; this part of the test checks what happens when master.key is deleted and recreated, which presumably is a rare event, so it is not surprising if this was never noticed by users.

        Attachments

          Activity

          Hide
          jglick Jesse Glick added a comment -

          CipherInputStream.getMoreData is rethrowing the BadPaddingException as an IOException, rather than ignoring it as the code used to do. This was introduced in http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/a132f7c497f8 which seems to be introduced as of jdk8u25-b01 though for some reason https://bugs.openjdk.java.net/browse/JDK-8037846 does not seem to be publicly available (perhaps it was a security vulnerability) and http://www.oracle.com/technetwork/java/javase/2col/8u25-bugfixes-2298227.html does not mention anything apparently related. https://bugs.openjdk.java.net/browse/JDK-8061619 appears to track the fact that this was a functional regression (and also implies that 7u71 is affected!), but it is closed without comment. https://bugzilla.redhat.com/show_bug.cgi?id=1151063 talks about CVE-2014-6558 and seems to have the most information.

          Show
          jglick Jesse Glick added a comment - CipherInputStream.getMoreData is rethrowing the BadPaddingException as an IOException , rather than ignoring it as the code used to do. This was introduced in http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/a132f7c497f8 which seems to be introduced as of jdk8u25-b01 though for some reason https://bugs.openjdk.java.net/browse/JDK-8037846 does not seem to be publicly available (perhaps it was a security vulnerability) and http://www.oracle.com/technetwork/java/javase/2col/8u25-bugfixes-2298227.html does not mention anything apparently related. https://bugs.openjdk.java.net/browse/JDK-8061619 appears to track the fact that this was a functional regression (and also implies that 7u71 is affected!), but it is closed without comment. https://bugzilla.redhat.com/show_bug.cgi?id=1151063 talks about CVE-2014-6558 and seems to have the most information.
          Hide
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #3854
          [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (Revision 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad)

          Result = SUCCESS
          jesse glick : 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad
          Files :

          • core/src/main/java/jenkins/security/DefaultConfidentialStore.java
          • changelog.html
          Show
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3854 [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (Revision 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad) Result = SUCCESS jesse glick : 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad Files : core/src/main/java/jenkins/security/DefaultConfidentialStore.java changelog.html
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/jenkins/security/DefaultConfidentialStore.java
          http://jenkins-ci.org/commit/jenkins/6318b8d800abdf8b280f4e1b8ce8bf22e49242ad
          Log:
          [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue.

          Compare: https://github.com/jenkinsci/jenkins/compare/a59cf9f37f47...6318b8d800ab

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/jenkins/security/DefaultConfidentialStore.java http://jenkins-ci.org/commit/jenkins/6318b8d800abdf8b280f4e1b8ce8bf22e49242ad Log: [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. Compare: https://github.com/jenkinsci/jenkins/compare/a59cf9f37f47...6318b8d800ab
          Hide
          olivergondza Oliver Gondža added a comment -

          FTR: I observe the same test failure using OpenJDK 1.7.0_71.

          Show
          olivergondza Oliver Gondža added a comment - FTR: I observe the same test failure using OpenJDK 1.7.0_71.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/security/DefaultConfidentialStore.java
          http://jenkins-ci.org/commit/jenkins/5ded56a8288dfcfb9e389ea85edc13cf49981a2a
          Log:
          [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue.

          (cherry picked from commit 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad)

          Conflicts:
          changelog.html

          Compare: https://github.com/jenkinsci/jenkins/compare/23e0d6ad1964...5ded56a8288d

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/DefaultConfidentialStore.java http://jenkins-ci.org/commit/jenkins/5ded56a8288dfcfb9e389ea85edc13cf49981a2a Log: [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (cherry picked from commit 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad) Conflicts: changelog.html Compare: https://github.com/jenkinsci/jenkins/compare/23e0d6ad1964...5ded56a8288d
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/jenkins/security/DefaultConfidentialStore.java
          http://jenkins-ci.org/commit/jenkins/16afb73b254504d0f0f1246e34cce1fb5bd65c35
          Log:
          [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue.

          (cherry picked from commit 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad)

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/jenkins/security/DefaultConfidentialStore.java http://jenkins-ci.org/commit/jenkins/16afb73b254504d0f0f1246e34cce1fb5bd65c35 Log: [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (cherry picked from commit 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad)
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/jenkins/security/DefaultConfidentialStore.java
          http://jenkins-ci.org/commit/jenkins/16afb73b254504d0f0f1246e34cce1fb5bd65c35
          Log:
          [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue.

          (cherry picked from commit 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad)

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/jenkins/security/DefaultConfidentialStore.java http://jenkins-ci.org/commit/jenkins/16afb73b254504d0f0f1246e34cce1fb5bd65c35 Log: [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (cherry picked from commit 6318b8d800abdf8b280f4e1b8ce8bf22e49242ad)
          Hide
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #3989
          [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (Revision 16afb73b254504d0f0f1246e34cce1fb5bd65c35)

          Result = SUCCESS
          jesse glick : 16afb73b254504d0f0f1246e34cce1fb5bd65c35
          Files :

          • core/src/main/java/jenkins/security/DefaultConfidentialStore.java
          • changelog.html
          Show
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3989 [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (Revision 16afb73b254504d0f0f1246e34cce1fb5bd65c35) Result = SUCCESS jesse glick : 16afb73b254504d0f0f1246e34cce1fb5bd65c35 Files : core/src/main/java/jenkins/security/DefaultConfidentialStore.java changelog.html
          Hide
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #4292
          [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (Revision 5ded56a8288dfcfb9e389ea85edc13cf49981a2a)

          Result = UNSTABLE
          ogondza : 5ded56a8288dfcfb9e389ea85edc13cf49981a2a
          Files :

          • core/src/main/java/jenkins/security/DefaultConfidentialStore.java
          Show
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4292 [FIXED JENKINS-25937] Treat BadPaddingException as an unloadable key and continue. (Revision 5ded56a8288dfcfb9e389ea85edc13cf49981a2a) Result = UNSTABLE ogondza : 5ded56a8288dfcfb9e389ea85edc13cf49981a2a Files : core/src/main/java/jenkins/security/DefaultConfidentialStore.java

            People

            • Assignee:
              jglick Jesse Glick
              Reporter:
              jglick Jesse Glick
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: