Hi Michael

Some facts you need to know.

The master password is used to encrypt the geoserver keystore located in
<GEOSERVER_DATA_DIR>/security/geoserver.jceks

This keystore contains an entry with the key used for the encryption of DB
passwords.

You need the master password to open the keystore, then you have to fetch
the key for DB password encryption  and finally you can decrypt the DB
password.
To decrypt the password on the client you have to store this password on
the client, which is quite insecure.

Be warned, each GeoServer installation has its individual key for DB
password encryption.

Hope this helps

Cheers
Christian


On Tue, Oct 23, 2018 at 12:40 PM <michael.haer...@t-systems.com> wrote:

> Hello List,
>
>
>
> even though I am not a GeoServer core developer myself, I think that my
> questions can best be answered by people who are involved in the geoserver
> development.
>
>
>
> I try to reverse the encryption mechanism of the passwords for the DB
> connections that are returned via the REST API. I know the master password
> and therefore expected to be able to decrypt these strings, for example
> with the tool here: https://8gwifi.org/pbe.jsp
>
>
>
> The strings are:
>
>
>
> “crypt2:rvaPmI1USC4jaiPVJlFSWZ8mFHPh9jyMAU9jGfB1ABI=” (Strong PBE)
>
> “crypt1:E1kAaW4HURBcJLDIRahhi3DBBov7r+DG” (Weak PBE)
>
>
>
> As far as I understood for weak PBE the algorithm is “PBEWITHMD5ANDDES”
>  and for strong PBR its "PBEWITHSHA256AND128BITAES-CBC-BC".
>
>
>
> But no matter what I try, I seem to miss one step because the services and
> my programming attempts always give me errors. What are the involves steps
> in order to retrieve the plain text password from the string above? The
> string itself obviously can’t serve as an input directly and I only have a
> rough understanding of encryption in general. As far as I understood, I
> only need the master password or did I miss an important part about the
> salt?
>
>
>
> Is there any example code available to decrypt the password? I looked into
> the source code of the GeoServer and came up with this:
>
>
>
> byte[] encPasswordBytes = "<plaintextMasterPassword> ".getBytes();
>
> Charset charset = Charset.forName("UTF-8");
>
> String encPasswordString = new String(encPasswordBytes, charset);
>
> char[] encPasswordChararray = encPasswordString.toCharArray();
>
> StandardPBEStringEncryptor stringEncrypter = new
> StandardPBEStringEncryptor();
>
> stringEncrypter.setPasswordCharArray(encPasswordChararray);
>
> stringEncrypter.setAlgorithm("PBEWITHMD5ANDDES");
>
> StandardPBEByteEncryptor byteEncrypter = new StandardPBEByteEncryptor();
>
> byteEncrypter.setPasswordCharArray(encPasswordChararray);
>
> byteEncrypter.setAlgorithm("PBEWITHMD5ANDDES");
>
> byte[] encPasswordOrig =
> "E1kAaW4HURBcJLDIRahhi3DBBov7r+DG".getBytes(charset);
>
> //byte[] decodedPasswordBytes = Base64.decode(encPasswordOrig);
>
> byte[] decryptedPasswordBytes = byteEncrypter.decrypt(encPasswordOrig);
>
> CharBuffer buff = charset.decode(ByteBuffer.wrap(decryptedPasswordBytes));
>
> char[] tmp = new char[buff.limit()];
>
> buff.get(tmp);
>
> System.out.println("decrypt:" + new String(tmp));
>
>
>
>
>
> I tried to stick to the example from SecurityUtils.java and
> GeoServerPBEPasswordEncoder.java but I always get a response that complains
> about the last block incomplete in decryption or an incorrect padding.
>
>
>
> Can anybody help?
>
>
>
> Thank you very much,
>
>
>
> Michael
>
>
>
>
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>


-- 
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to