Generating with input of multipler of 32 bytes causing .verify to fail with padding error.. #23
Comments
|
Which implementation are you describing? This repo covers the specification itself. |
|
Not sure what you mean. We’re using the Elixir Fernetex library.
On a .generate when passing in an input that is a length evenly divided by 32, say 160 bytes, the token is created, but when the same token is later passed into .verify, it generates a padding error.
Actually, depending on the input string, it might fail then.
But heck, just doing this causes an issue..
iex(1)> s = "hello"
"hello"
iex(2)> secret = "fJXYWeIEcXMO3tLDheFVezM5QWBVFvkymG80n0Rluqs"
"fJXYWeIEcXMO3tLDheFVezM5QWBVFvkymG80n0Rluqs"
iex(3)> Fernet.generate(s, key: secret)
** (ArgumentError) incorrect padding
(elixir) lib/base.ex:1104: Base.do_decode64url/2
(fernetex) lib/fernetex.ex:191: Fernet.generate/4
{:fernetex, 'fernetex', '0.3.0’},
The issue we encountered was that we were parsing in a string comprised of JSON, which worked fine until the actual length of that payload hit 160 bytes on the dot. It would generate the toke, but it would fail to verify with a “padding error”. We then added a single space to the end of that, and it worked end to end.
… On Jun 26, 2018, at 2:16 PM, Alex Gaynor ***@***.***> wrote:
Which implementation are you describing? This repo covers the specification itself.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#23 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFC2mW3Hg2i-BDtleYtHKo867Syu8-X1ks5uAnplgaJpZM4U4bcv>.
|
|
Sorry, last example I miscopied the secret..
Here’s the issue..
iex(1)> secret = "fJXYWeIEcXMO3tLDheFVezM5QWBVFvkymG80n0Rluqs="
"fJXYWeIEcXMO3tLDheFVezM5QWBVFvkymG80n0Rluqs="
iex(2)> s = "abc"
"abc"
iex(3)> {:ok, _iv, t} = Fernet.generate(s, key: secret)
{:ok,
<<171, 20, 174, 159, 83, 157, 204, 91, 237, 149, 121, 205, 255, 101, 152, 241>>,
"gAAAAABbMo1mqxSun1OdzFvtlXnN_2WY8TlATVJvCKC6oPuO_kzHnLSC3YN6uj0b-a0DBzBQYfWmaxdUb28p3-RyFOLV8gBwPQ=="}
iex(4)> t
"gAAAAABbMo1mqxSun1OdzFvtlXnN_2WY8TlATVJvCKC6oPuO_kzHnLSC3YN6uj0b-a0DBzBQYfWmaxdUb28p3-RyFOLV8gBwPQ=="
iex(5)> Fernet.verify(t, key: secret)
{:ok, "abc"}
iex(6)> s = String.pad_trailing("hello", 32)
"hello "
iex(7)> {:ok, _iv, t} = Fernet.generate(s, key: secret)
{:ok,
<<4, 195, 63, 250, 139, 163, 64, 222, 249, 190, 47, 118, 19, 79, 199, 13>>,
"gAAAAABbMo2BBMM_-oujQN75vi92E0_HDf-TWTLLZYX6S3sqDyJh4QL9Qqi4oPP47mEcc5OBQ2qUmqJfJVmt1UBuRBK096V8Rp5M-f-sjS79HKJedlg9Ay4="}
iex(8)> Fernet.verify(t, key: secret)
{:error, "padding error"}
… On Jun 26, 2018, at 2:16 PM, Alex Gaynor ***@***.***> wrote:
Which implementation are you describing? This repo covers the specification itself.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#23 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFC2mW3Hg2i-BDtleYtHKo867Syu8-X1ks5uAnplgaJpZM4U4bcv>.
|
|
This sounds like a bug with the Fernetex library, and you should file it in their bug tracker, not a bug with the spec. |
|
And you are correct, I'm not entirely certain how we ended up filing it
under the spec. That was not our intent.
You dream it. We build it!
Breakthrough Technologies
breakthrough-tech.com
…On Tue, Jun 26, 2018, 3:07 PM Alex Gaynor ***@***.***> wrote:
This sounds like a bug with the Fernetex library, and you should file it
in their bug tracker, not a bug with the spec.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#23 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AFC2mRtFQL0_XItS4tuCaZVb7qIjaRwOks5uAoaLgaJpZM4U4bcv>
.
|
|
I believe this was fixed in kennyp/fernetex#8. Thanks for reaching out over there! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We found this issue when encoding a string that happened to be exactly 160 bytes in length.
The token generates, but upon .verify, it fails with a padding error.
Our guess is it would fail on any coded input that happened to have a length that is a multipler of 32 bytes.
The text was updated successfully, but these errors were encountered: