Validate password parameter after deserialization

silk-core/src/main/scala/org/silkframework/runtime/plugin/ParameterType.scala

@@ -18,6 +18,7 @@ import java.util.logging.{Level, Logger}
 import javax.crypto.SecretKey
 import scala.language.existentials
 import scala.reflect.ClassTag
+import scala.util.control.NonFatal
 import scala.util.{Failure, Success, Try}
 
 /** Represents a plugin parameter type and provides serialization. */
@@ -663,7 +664,7 @@ object StringParameterType {
   }
 
   object PasswordParameterType extends StringParameterType[PasswordParameter] {
-    // This preamble should be added to all serializations to mark the string as a encrypted password, else it will be interpreted as plain
+    // This preamble should be added to all serializations to mark the string as an encrypted password, else it will be interpreted as plain
     final val PREAMBLE = "PASSWORD_PARAMETER:"
     final val CONFIG_KEY = "plugin.parameters.password.crypt.key"
 
@@ -698,7 +699,10 @@ object StringParameterType {
       val encryptedPassword = if (str == null || str == "") {
         str // Handle empty string as empty password and vice versa
       } else if (str.startsWith(PREAMBLE)) {
-        str.stripPrefix(PREAMBLE)
+        val encryptedPassword = str.stripPrefix(PREAMBLE)
+        // Test that it can be decrypted
+        PasswordParameter.decrypt(encryptedPassword)
+        encryptedPassword
       } else {
         AesCrypto.encrypt(key, str)
       }

silk-core/src/main/scala/org/silkframework/runtime/plugin/types/PasswordParameter.scala

@@ -15,7 +15,6 @@ import javax.crypto.BadPaddingException
   * @param encryptedValue The AES encrypted Base64-encoded password
   */
 case class PasswordParameter(encryptedValue: String) {
-  private val log: Logger = Logger.getLogger(getClass.getName)
 
   override def toString: String = if(encryptedValue == null || encryptedValue == "") {
     encryptedValue // Handle empty string as empty password and vice versa
@@ -24,20 +23,7 @@ case class PasswordParameter(encryptedValue: String) {
   }
 
   def decryptedString: String = {
-    if(encryptedValue == null || encryptedValue == "") {
-      encryptedValue // Handle empty string as empty password and vice versa
-    } else {
-      try {
-        AesCrypto.decrypt(PasswordParameterType.key, encryptedValue)
-      } catch {
-        case ex: InvalidKeyException =>
-          throw AbortExecutionException(s"The password parameter encryption key is invalid. Value for " +
-              s"${PasswordParameterType.CONFIG_KEY} needs to be a character string of length 16.", cause = Some(ex))
-        case _: BadPaddingException =>
-          throw AbortExecutionException(s"Password parameter value could not be decrypted. If the value for config key ${PasswordParameterType.CONFIG_KEY} has been changed, " +
-              s"all passwords for the operator need to be re-entered.")
-      }
-    }
+    PasswordParameter.decrypt(encryptedValue)
   }
 }
 
@@ -51,4 +37,20 @@ object PasswordParameter {
     )
   }
 
+  def decrypt(encryptedValue: String): String = {
+    if(encryptedValue == null || encryptedValue == "") {
+      encryptedValue // Handle empty string as empty password and vice versa
+    } else {
+      try {
+        AesCrypto.decrypt(PasswordParameterType.key, encryptedValue)
+      } catch {
+        case ex: InvalidKeyException =>
+          throw AbortExecutionException(s"The password parameter encryption key is invalid. Value for " +
+            s"${PasswordParameterType.CONFIG_KEY} needs to be a character string of length 16.", cause = Some(ex))
+        case _: BadPaddingException =>
+          throw AbortExecutionException(s"Password parameter value could not be decrypted. If the value for config key ${PasswordParameterType.CONFIG_KEY} has been changed, " +
+            s"all passwords for the operator need to be re-entered.")
+      }
+    }
+  }
 }