[Mono-list] Bad PKCS7 padding. Invalid length when using asp.net membership provider - a bug in mono?

Sebastien Pouliot sebastien.pouliot at gmail.com
Wed Sep 2 08:01:31 EDT 2009

Hello Piotr,

On Wed, 2009-09-02 at 01:04 -0700, Piotr Walat wrote:
> Thanks for your quick response Sebastien,
> Sebastien Pouliot-2 wrote:
> > 
> > 
> > Daniel Nauck told me about this bug - and I'm still waiting for answers
> > to some questions. AFAICT the fact that this works under Windows is the
> > reason it does not work on Mono. 
> > 
> > Basically the same key, data and storage are used on both (mono and
> > ms.net) but the (undocumented) algorithm itself is different. So you
> > can't mix and match ms.net and mono with the same (membership) data
> > source.
> > 
> Well, I am not sure if i got you right - even though encryption keys and
> data stored in database is the same both on mono and ms.net, due to
> difference in cipher algorithm implementations, application running under
> ms.net will not be able to decipher data encrypted under mono counterpart
> and vice versa?

Yep. In order to get compatible* with both Mono and MS.NET a provider
should override [Encrypt|Decrypt]Password with its own implementation.

        * e.g. having servers running simultaneously on both; or
                providing a update path for both ways

> In this particular scenario this is not the case, as aforementioned 'bug'
> manifests itself even when not switching to ms.net and running application
> under mono only. When registering new user the data seems to be written to
> the database in an encrypted form, but whenever you'd try do decrypt it(for
> example when trying to log in) you'd get this "Bad padding" exception. Or
> maybe i cannot use current cipher keys(they work on windows for sure) under
> mono? 

No they should be ok. Otherwise that would throw an exception earlier
(when setting the key)... unless that exception is hidden by some code.

> Is 'special' mono version of keypair (decryptionKey, validationKey)
> required? If so how can i generate it?

Never used it myself :) so how did you generate them ?

Please open a bug report on http://bugzilla.novell.com and include:

a) how you generated the keys

b) sample keys (not production ones ;-)

c) sample of encrypted data (with the above key) that fails at
decryption time


> Sebastien Pouliot-2 wrote:
> > 
> >> Are there any plans to fix this bug anytime soon?
> > Not without a bug report and not without test cases (that exclude the
> > above case).
> > 
> Ok, am i free to fill in a bug (of course reading
> http://mono-project.com/Bugs first ;))?

More information about the Mono-list mailing list