[Mono-bugs] [Bug 538406] New: Bad PKCS7 padding exception is thrown when trying to login or recover password under ASP.NET using encrypted passwords and AspSQLProvider.

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Fri Sep 11 10:06:29 EDT 2009


           Summary: Bad PKCS7 padding exception is thrown when trying to
                    login or recover password under ASP.NET using
                    encrypted passwords and AspSQLProvider.
    Classification: Mono
           Product: Mono: Class Libraries
           Version: 2.4.x
          Platform: i686
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: P5 - None
         Component: Mono.Security
        AssignedTo: spouliot at novell.com
        ReportedBy: piotr.walat at gmail.com
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:
Gecko/20090813 Gentoo Firefox/3.5.2

When using Nauckit Postgresql membership provider for asp.net
(http://dev.nauck-it.de/aspsqlprovider/) with passwordFormat set to "Encrypted"
whenever you try to login or recover password you get:
System.Security.Cryptography.CryptographicException: Bad PKCS7 padding. Invalid
length XXX.

The accounts and passwords can be created and inserted into db without
problems. Same setup under MS.NET works fine. I've tried multiple encryption
keys (generated by code shown here: http://support.microsoft.com/kb/312906,
both on ms.net and mono compiled version of generation tool) with no success.

Reproducible: Always

Steps to Reproduce:
1.Create a new ASP.NET MVC (or ASP.NET WebForms) application
2.Download aspsqlprovider (http://dev.nauck-it.de/aspsqlprovider)
3.Configure web.config for aspsqlprovider: add connection string (pgsql),
configure providers (http://dev.nauck-it.de/aspsqlprovider/wiki/Configuration).
Make sure following properties of provider are set:
enablePasswordRetrieval="true" requiresQuestionAndAnswer="false"
4.Create database with a proper sql schema (script available in aspsqlprovider
5.In Global.asax 's Application_Start method add the  following code:
            const string adminRoleName = "su";
            const string adminUserName = "su";
            const string adminPassword = "test123";

            if (!Roles.RoleExists(adminRoleName))

            if (Membership.GetUser(adminUserName) == null)
                Membership.CreateUser(adminUserName, adminPassword,
"fake at fake.fake.fake.info");

            if (!Roles.IsUserInRole(adminUserName, adminRoleName))
                Roles.AddUserToRole(adminUserName, adminRoleName);

this will ensure a proper user is created on app start

6. In your HomeController add a new action (under webforms add simmilar logic
to Page_Load in Default.aspx.cs):

public ContentResult Pass()
            ContentResult cr = new ContentResult();
            MembershipUser user = Membership.GetUser("su");
            string password=Membership.Provider.GetPassword("su","");
                cr.Content+="empty pass";
            return cr;            

7. Navigate to http://yourapplication/Home/Pass to execute password retreival
Actual Results:  
An exception is raised or "empty password" string is displayed

Expected Results:  
A user's (su) password (test123) should be displayed

Sample keypair:

Sample credentials:
username: su
pass: test123

encrypted password stored in database (Password column):

stack trace:
System.Security.Cryptography.CryptographicException: Bad PKCS7 padding. Invalid
length 19.
at Mono.Security.Cryptography.SymmetricTransform.ThrowBadPaddingException
(System.Security.Cryptography.PaddingMode,int,int) [0x0005c] in
at Mono.Security.Cryptography.SymmetricTransform.FinalDecrypt (byte[],int,int)
[0x001a3] in
at Mono.Security.Cryptography.SymmetricTransform.TransformFinalBlock
(byte[],int,int) [0x00034] in
at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock
(byte[],int,int) [0x00000] in
at System.Web.Security.MembershipProvider.DecryptPassword (byte[]) [0x00017] in
at NauckIT.PostgreSQLProvider.PgMembershipProvider.UnEncodePassword (string)
[0x00025] in
at NauckIT.PostgreSQLProvider.PgMembershipProvider.GetPassword (string,string)
[0x00159] in

Using different password: testpass didnt generate aforementioned exception, but
resulted in GetPassword() method returning null or empty string

Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list