Lack of support for tokens over 2500 characters

[jeremyjpaws]

Issue

There is a lack of support for wincred tokens over 2500 characters.

If more than 2500 characters are used, issues and errors such as "The stub received bad data" may occur when trying to authenticate against a container repository. See the related issues at (1,2,3).

Note that this maybe not quite a wincred bug directly, but a result of a limitation in the underlying Windows API and its credential store; however I am not sure in this.

References:

1. Docker login fails returning "The stub received bad data" on Windows when using awscli v2.  aws/aws-cli#5636
2. Windows credential helper doesn't support passwords greater than 2,500 characters in length docker/docker-credential-helpers#190
3. az acr login failure Azure/azure-cli#4843

[danieljoos]

Hi,

thanks for reporting this issue.
I'll have a look immediately.

Cheers,
Daniel

[danieljoos]

Alright, this seems to be a limitation of the Windows API.
The CRED_MAX_CREDENTIAL_BLOB_SIZE is 5 * 512 = 2560 Bytes. I haven't found any way to work around this limit.
I tried to add a credential with more (~5k Bytes) in C++ and it failed with exactly the same error there, too.

The Windows API docs doesn't really mention it (or is wrong in this regards):
https://docs.microsoft.com/en-us/windows/win32/api/wincred/ns-wincred-credentiala
(See "CredentialBlobSize").

However, just printing out the value of CRED_MAX_CREDENTIAL_BLOB_SIZE in C++ revealed the 2560 Bytes limit.
This is also the same value used in several other wrapper-projects, e.g. this one for Rust: https://bryal.github.io/d3d11-rs/winapi/wincred/constant.CRED_MAX_CREDENTIAL_BLOB_SIZE.html

[nick4fake]

@danieljoos
-- I haven't found any way to work around this limit.
Possible workaround is using multiple credentials to store it

[danieljoos]

A hint has been added to the README. Closing this issue.