Hello Christian, thank you for your response but that was the info I was already aware of. I know the master password (I am the admin of that geoserver) but I believe that the string I need to pass to the decryption is not exactly the string that is returned in API response. Other pages state that the string is either a 64 character string or a 44 character string if it is base64 encoded. The string in the API response has 44 characters so I decoded the string with base64decode and tried to decrypt the resulting decoded string but it didn’t work either.
I always get a “javax.crypto.IllegalBlockSizeException: last block incomplete in decryption”, no matter if I use crypt1: string with PBEWITHMD5ANDDES or crypt2 string with PBEWITHSHA256AND128BITAES-CBC-BC (I remove the prefix of course when passing the string). I hope anyone can give me a piece of code or advice what I do wrong. Regards, Michael Von: Christian Mueller <christian.muel...@os-solutions.at> Gesendet: Mittwoch, 24. Oktober 2018 08:41 An: Härtel, Michael <michael.haer...@t-systems.com> Cc: geoserver-devel <geoserver-devel@lists.sourceforge.net> Betreff: Re: [Geoserver-devel] Decrypting passwords given in REST response Hi Michael Some facts you need to know. The master password is used to encrypt the geoserver keystore located in <GEOSERVER_DATA_DIR>/security/geoserver.jceks This keystore contains an entry with the key used for the encryption of DB passwords. You need the master password to open the keystore, then you have to fetch the key for DB password encryption and finally you can decrypt the DB password. To decrypt the password on the client you have to store this password on the client, which is quite insecure. Be warned, each GeoServer installation has its individual key for DB password encryption. Hope this helps Cheers Christian On Tue, Oct 23, 2018 at 12:40 PM <michael.haer...@t-systems.com<mailto:michael.haer...@t-systems.com>> wrote: Hello List, even though I am not a GeoServer core developer myself, I think that my questions can best be answered by people who are involved in the geoserver development. I try to reverse the encryption mechanism of the passwords for the DB connections that are returned via the REST API. I know the master password and therefore expected to be able to decrypt these strings, for example with the tool here: https://8gwifi.org/pbe.jsp The strings are: “crypt2:rvaPmI1USC4jaiPVJlFSWZ8mFHPh9jyMAU9jGfB1ABI=” (Strong PBE) “crypt1:E1kAaW4HURBcJLDIRahhi3DBBov7r+DG” (Weak PBE) As far as I understood for weak PBE the algorithm is “PBEWITHMD5ANDDES” and for strong PBR its "PBEWITHSHA256AND128BITAES-CBC-BC". But no matter what I try, I seem to miss one step because the services and my programming attempts always give me errors. What are the involves steps in order to retrieve the plain text password from the string above? The string itself obviously can’t serve as an input directly and I only have a rough understanding of encryption in general. As far as I understood, I only need the master password or did I miss an important part about the salt? Is there any example code available to decrypt the password? I looked into the source code of the GeoServer and came up with this: byte[] encPasswordBytes = "<plaintextMasterPassword> ".getBytes(); Charset charset = Charset.forName("UTF-8"); String encPasswordString = new String(encPasswordBytes, charset); char[] encPasswordChararray = encPasswordString.toCharArray(); StandardPBEStringEncryptor stringEncrypter = new StandardPBEStringEncryptor(); stringEncrypter.setPasswordCharArray(encPasswordChararray); stringEncrypter.setAlgorithm("PBEWITHMD5ANDDES"); StandardPBEByteEncryptor byteEncrypter = new StandardPBEByteEncryptor(); byteEncrypter.setPasswordCharArray(encPasswordChararray); byteEncrypter.setAlgorithm("PBEWITHMD5ANDDES"); byte[] encPasswordOrig = "E1kAaW4HURBcJLDIRahhi3DBBov7r+DG".getBytes(charset); //byte[] decodedPasswordBytes = Base64.decode(encPasswordOrig); byte[] decryptedPasswordBytes = byteEncrypter.decrypt(encPasswordOrig); CharBuffer buff = charset.decode(ByteBuffer.wrap(decryptedPasswordBytes)); char[] tmp = new char[buff.limit()]; buff.get(tmp); System.out.println("decrypt:" + new String(tmp)); I tried to stick to the example from SecurityUtils.java and GeoServerPBEPasswordEncoder.java but I always get a response that complains about the last block incomplete in decryption or an incorrect padding. Can anybody help? Thank you very much, Michael _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net<mailto:Geoserver-devel@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-devel -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel