Length for tailf:aes-cfb-128-encrypted-string type

yogevc · August 14, 2016, 11:01am

I’m trying to add the length directive to the type tailf:aes-cfb-128-encrypted-string.
Seems like the leaf ignores the length.

leaf key {
    type tailf:aes-cfb-128-encrypted-string {
        length "8..12";
        }
}

When I commit a string with a length lower than 8, the commit suceeds.

I saw this in the man 3 confd_types:

tailf:aes-cfb-128-encrypted-string
       The aes-cfb-128-encrypted-string works exactly like des3-cbc-encrypted-string but AES/128bits in CFB mode is used to encrypt the string. The prefix for encrypted values is "$8$".

           Note
           The pattern restriction can not be used with this type.

There’s nothing written about the length restriction.

Am I doing something wrong?
Thanks.

waitai · August 15, 2016, 5:11pm

The length restriction in the above YANG statements applies to the encrypted form of the leaf value including the prefix with the enclosed ‘$’ signs. The ciphertext can be significantly longer then the cleartext due to the padding to make it multiple of 16 bytes prior to encryption and the encryption itself followed by base64 encoding. What you can do in this case is to restrict the length of this encrypted string data type in cleartext format using a validation callpoint.