Skip to content

GUACAMOLE-1286: Add support for providing a custom IV.#1153

Open
necouchman wants to merge 1 commit into
apache:mainfrom
necouchman:jira/1286
Open

GUACAMOLE-1286: Add support for providing a custom IV.#1153
necouchman wants to merge 1 commit into
apache:mainfrom
necouchman:jira/1286

Conversation

@necouchman

Copy link
Copy Markdown
Contributor

Based on another situation that I've run into where I need to be able to provide an IV for the crypto module, I've tweaked the code for the JSON extension slightly to allow this value to be passed in as a query parameter along with the encrypted and signed JSON data. I've no idea if this is actually safe or not (from what I've read it seems that passing the IV in the open with the encrypted data is okay?), and am opening as a draft since I haven't even tested it, yet.

@necouchman
necouchman marked this pull request as ready for review January 31, 2026 19:54

@eugen-keeper eugen-keeper left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please consider updating the README to document the new behavior extensions\guacamole-auth-json\doc\README.md

// part of the request, use that, instead.
IvParameterSpec iv = NULL_IV;
if (ivStr != null && !ivStr.isEmpty()) {
byte[] ivBytes = BaseEncoding.base64().decode(ivStr);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can throw IllegalArgumentException for malformed ivStr base64, but that exception is not handled here. It propagates to UserDataService.fromCredentials(), where the existing catch (IllegalArgumentException) logs Submitted data is not proper base64, which is misleading when only iv is invalid. Maybe consider catching IllegalArgumentException here and rethrowing as GuacamoleServerException("Invalid IV provided.").

* Decrypts the given ciphertext using the provided key, returning the
* resulting plaintext. If any error occurs during decryption at all, a
* GuacamoleException is thrown. The IV used for the decryption process is
* a null IV (all binary zeroes).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The method now accepts an optional ivStr parameter for a custom IV. Please consider updating the Javadoc to reflect the new behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants