More fixes for protected string comparison

Evolveum · Apr 11, 2019 · 25d4949 · 25d4949
1 parent ef0ef93
commit 25d4949
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/...mpl/src/main/java/com/evolveum/midpoint/prism/impl/crypto/KeyStoreBasedProtectorImpl.java b/...mpl/src/main/java/com/evolveum/midpoint/prism/impl/crypto/KeyStoreBasedProtectorImpl.java
@@ -702,7 +702,25 @@ private boolean areEquivalentEncrypted(ProtectedStringType a, ProtectedStringTyp
 		if (!Objects.equals(ae.getKeyInfo(), be.getKeyInfo())) {
 			return false;
 		}
-		return compareEncryptedCleartext(a, b);
+
+		if (Objects.equals(ae.getCipherData(), be.getCipherData())) {
+			return true;
+		}
+
+		try {
+
+			return compareEncryptedCleartext(a, b);
+
+		} catch (EncryptionException e) {
+			// We cannot decrypt one of the values. Therefore we do not really know whether they are
+			// the same or different. Re-throwing the exception here would stop all action. And,
+			// strictly speaking, that would be the right thing to do. But as this method is used
+			// in a low-level prism code, re-throwing this exception may stop all operations that
+			// could lead to fixing the error. Therefore just log the error, but otherwise pretend
+			// that the values are not equivalent. That is still OK with the interface contract.
+			LOGGER.warn("Cannot decrypt a value for comparison: "+e.getMessage(), e);
+			return false;
+		}
 	}