Spring Cloud Config Server encryption issue

Question

We have a Pivotal Cloud Foundry server which is configured with a Spring config server with the encryption key. In the corresponding properties file (via github), we have {cipher} prefixed for some simple properties and we are able to get the values just fine in the application. But the challenge we noticed recently is that when we have a base64 data that need to be encrypted, the spring encryption is truncating the trailing equals sign at the end of base64 data. And when our application reads this data, its failing parsing it since its not a valid base64 as its padding character (equals sign) at the end is missing. We tried escaping the equals sign with a backslash but still no luck. We are just seeing two backslashes, so wondering if there are any suggestions to nail this issue. Thanks!

Answer 1

You can avoid the problems caused by curl by using httpie:

Encrypt:

echo -n cleartext | http https://config-server.com/encrypt

Decrypt:

echo -n ciphertext | http https://config-server.com/decrypt

Answer 2

The issue here, as far as I can tell, appears to be with the usage of curl. I'm able to replicate the problem you're seeing by running:

spring decrypt --key @${HOME}/server_rsa_no_eol.key "$(curl -H "Authorization: $(cf oauth-token)" https://config-server.example.com/encrypt -s -d 'VGVzdC0=')"

This uses curl to hit the encrypt endpoint and takes the result and immediately decrypts it with spring decrypt. As you've indicated, this returns VGVzdC0.

It seems like this is a curl issue because I can make the same post to https://httpbin.org/post and I get the same result, VGVzdC0 without the =.

$ curl https://httpbin.org/post --data 'VGVzdC0='
{
  ...
  "form": {
    "VGVzdC0": ""
  },
  ...

What works is if I url encode the = character.

$ curl https://httpbin.org/post --data 'VGVzdC0%3D'
{
  ...
  "form": {
    "VGVzdC0=": ""
  },
  ...

You can also make curl do the url encoding by using --data-urlencode but there's a catch. You must prefix the value with a =. So this also works

$ curl https://httpbin.org/post --data-urlencode '=VGVzdC0='
{
  "args": {},
  "data": "",
  "files": {},
  "form": {
    "VGVzdC0=": ""
  },
...

From the curl man page:

  --data-urlencode <data>
          (HTTP) This posts data, similar to the other -d, --data options with the exception that this performs URL-encoding.

          To be CGI-compliant, the <data> part should begin with a name followed by a separator and a content specification. The <data> part can be passed to curl using one of the following
          syntaxes:

          content
                 This will make curl URL-encode the content and pass that on. Just be careful so that the content doesn't contain any = or @ symbols, as that will then make the syntax match
                 one of the other cases below!

          =content
                 This will make curl URL-encode the content and pass that on. The preceding = symbol is not included in the data.

The key is the last part =content. That will make curl url encode the content and the prefixed = is not included.

If I repeat my test above, I get the expected result VGVzdC0=.

spring decrypt --key @${HOME}/server_rsa_no_eol.key "$(curl -H "Authorization: $(cf oauth-token)" https://config-server.example.com/encrypt -s --data-urlencode '=VGVzdC0=')"

As an aside, you can also take the easy option and install the Spring Boot CLI + the Spring Cloud Extension. Then you can just spring encrypt --key @${HOME}/server_rsa_no_eol.key 'VGVzdC0=' and you'll get the right values. That does mean you need a copy of the key on your local machine though, which you may or may not have.

brew install springboot
spring install org.springframework.cloud:spring-cloud-cli:2.2.1.RELEASE

• https://docs.spring.io/spring-boot/docs/2.2.7.RELEASE/reference/html/spring-boot-cli.html#cli-installation
• https://cloud.spring.io/spring-cloud-static/spring-cloud-cli/2.2.1.RELEASE/reference/html/#_installation