Unable to Validate data error after Patch RSS

• • Reply
  

  mikescrivo

  0 Points

  3 Posts

  Unable to Validate data error after Patch

  Oct 01, 2010 04:29 PM|LINK

  After applying the patch to our QA machines, we started getting the following errors:

  Unable to validate data.

      at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData)

     at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo)

     at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType)

  
  Anyone have any idea what's going on here?

  
  

  Thanks,

  Michael
  

• • Reply
  

  pitz

  Member

  54 Points

  14 Posts

  Re: Unable to Validate data error after Patch

  Oct 01, 2010 06:26 PM|LINK

  In what way does your application call the EncryptOrDecryptData() method?  If the application directly calls the encryption routines and persistently stored the encrypted data somewhere (before the patches), then all those encrypted data will fail to decrypt once the patches have been applied.

  
  

• • Reply
  

  mikescrivo

  0 Points

  3 Posts

  Re: Unable to Validate data error after Patch

  Oct 01, 2010 06:51 PM|LINK

  We have tests that perform the following:
  
  

  try
              {
                  ticket = FormsAuthentication.Decrypt(cookie.Value);
              }
              catch (CryptographicException)
              {
                  // Cookie exists, but can't be decrypted.
                  return null;
              }

  but it appears that CrytographicException is no longer thrown when it can't decrypt, so we had to add an extra catch:

  
  

  
  

       
  try
              {
                  ticket = FormsAuthentication.Decrypt(cookie.Value);
              }
              catch (CryptographicException)
              {
                  // Cookie exists, but can't be decrypted.
                  return null;
              }            catch (HttpException)
              {
                  // Cookie exists but can't be decrypted.
                  return null;
              }
  
  

  seems to be working now.
  

  
  

  
  

  • Edited by mikescrivo on Oct 01, 2010 06:52 PM
  • Edited by mikescrivo on Oct 01, 2010 06:53 PM
  • Marked as answer by mikescrivo on Oct 01, 2010 06:53 PM
• • Reply
  

  pitz

  Member

  54 Points

  14 Posts

  Re: Unable to Validate data error after Patch

  Oct 01, 2010 07:06 PM|LINK

  Good.  As what the patch was intended for, the CryptographicException (which was part of the padding oracle) is now hidden and whatever error encountered in FormsAuthentication.Decrypt() is now thrown as an HttpException.