Skip to content

PasswordUtil.encode() misinterprets {algo} plaintext passwords as pre-encoded ciphertext #35243

Description

@una-tapa

Describe the bug

In encode(String, String, Map), getCryptoAlgorithm() returns a
non-null token for any string matching the {.*} pattern at the start.
The code then unconditionally attempted to decode the string before
re-encoding, without first checking whether the extracted token is
actually a valid crypto algorithm (xor, aes, hash, or custom).

[2026-06-19T14:41:30.307+0200] 00000054 SystemOut O [2026-06-19T14:41:30,307] [ERROR] d.f.d.c.o.w.WlpDataTreePasswordEncrypter - Unable to encrypt password for property type=[mailSession], parameter=[password], password (redacted) using encryptionKey gaypqCle8pirepDeNMJSYYvuwlH0W55RTwU1ioFA3ZtZ.
java.lang.NullPointerException: Cannot invoke "java.lang.String.trim()" because "decoded_string" is null
at com.ibm.websphere.crypto.PasswordUtil.encode(PasswordUtil.java:274)
at com.ibm.websphere.crypto.PasswordUtil.encode(PasswordUtil.java:228)
at de.fi.deployment.cfggenerator.operation.wlphelper.WlpDataTreePasswordEncrypter.doEncrypt(WlpDataTreePasswordEncrypter.java:127)

Steps to Reproduce

When trying to use
PasswordUtil.encode(secretToEncrypt, "aes", @Nullable encryptionKey);
Then the passwordUtil will silently return secretToEncrypt without throwing an exception if secretToEncrypt starts with {something}.
This is unexpected and highly problematic.
Actually it is based on an internal NPE within PasswordUtil:
(Error stack above)

Expected behavior
The encoding operation should complete successfully without generating an internal error.

Diagnostic information:

  • OpenLiberty Version: Any
  • Affected feature(s) [e.g. mpHealth-3.0] - PasswordUtilities-1.0, PasswordUtilities-2.0
  • Java Version:No specific version
  • server.xml configuration - includes PasswordUtilities-1.0 or PasswordUtilities-2.0 in its feature list.

Additional context
Add any other context about the problem here.

From our support team, Keith Jabcuga's created a standalone recreation program 6/19/2026
test/com/example/security/PasswordUtilSample.java
PasswordUtilSample.java

Metadata

Metadata

Assignees

Labels

release bugThis bug is present in a released version of Open Liberty

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions