Did you compare the encoded password sent by the REST Api and the encoded password stored in the datastore.xml file?
Cheers On Wed, Oct 24, 2018 at 10:36 AM <michael.haer...@t-systems.com> wrote: > Hello Christian, > > > > thank you for your response but that was the info I was already aware of. > I know the master password (I am the admin of that geoserver) but I believe > that the string I need to pass to the decryption is not exactly the string > that is returned in API response. Other pages state that the string is > either a 64 character string or a 44 character string if it is base64 > encoded. The string in the API response has 44 characters so I decoded the > string with base64decode and tried to decrypt the resulting decoded string > but it didn’t work either. > > > > I always get a “javax.crypto.IllegalBlockSizeException: last block > incomplete in decryption”, no matter if I use crypt1: string with > PBEWITHMD5ANDDES or crypt2 string with PBEWITHSHA256AND128BITAES-CBC-BC (I > remove the prefix of course when passing the string). > > > > I hope anyone can give me a piece of code or advice what I do wrong. > > > > Regards, > > > > Michael > > > > *Von:* Christian Mueller <christian.muel...@os-solutions.at> > *Gesendet:* Mittwoch, 24. Oktober 2018 08:41 > *An:* Härtel, Michael <michael.haer...@t-systems.com> > *Cc:* geoserver-devel <geoserver-devel@lists.sourceforge.net> > *Betreff:* Re: [Geoserver-devel] Decrypting passwords given in REST > response > > > > Hi Michael > > > > Some facts you need to know. > > > > The master password is used to encrypt the geoserver keystore located in > > <GEOSERVER_DATA_DIR>/security/geoserver.jceks > > > > This keystore contains an entry with the key used for the encryption of DB > passwords. > > > > You need the master password to open the keystore, then you have to fetch > the key for DB password encryption and finally you can decrypt the DB > password. > > To decrypt the password on the client you have to store this password on > the client, which is quite insecure. > > > > Be warned, each GeoServer installation has its individual key for DB > password encryption. > > > > Hope this helps > > > > Cheers > > Christian > > > > > > On Tue, Oct 23, 2018 at 12:40 PM <michael.haer...@t-systems.com> wrote: > > Hello List, > > > > even though I am not a GeoServer core developer myself, I think that my > questions can best be answered by people who are involved in the geoserver > development. > > > > I try to reverse the encryption mechanism of the passwords for the DB > connections that are returned via the REST API. I know the master password > and therefore expected to be able to decrypt these strings, for example > with the tool here: https://8gwifi.org/pbe.jsp > > > > The strings are: > > > > “crypt2:rvaPmI1USC4jaiPVJlFSWZ8mFHPh9jyMAU9jGfB1ABI=” (Strong PBE) > > “crypt1:E1kAaW4HURBcJLDIRahhi3DBBov7r+DG” (Weak PBE) > > > > As far as I understood for weak PBE the algorithm is “PBEWITHMD5ANDDES” > and for strong PBR its "PBEWITHSHA256AND128BITAES-CBC-BC". > > > > But no matter what I try, I seem to miss one step because the services and > my programming attempts always give me errors. What are the involves steps > in order to retrieve the plain text password from the string above? The > string itself obviously can’t serve as an input directly and I only have a > rough understanding of encryption in general. As far as I understood, I > only need the master password or did I miss an important part about the > salt? > > > > Is there any example code available to decrypt the password? I looked into > the source code of the GeoServer and came up with this: > > > > byte[] encPasswordBytes = "<plaintextMasterPassword> ".getBytes(); > > Charset charset = Charset.forName("UTF-8"); > > String encPasswordString = new String(encPasswordBytes, charset); > > char[] encPasswordChararray = encPasswordString.toCharArray(); > > StandardPBEStringEncryptor stringEncrypter = new > StandardPBEStringEncryptor(); > > stringEncrypter.setPasswordCharArray(encPasswordChararray); > > stringEncrypter.setAlgorithm("PBEWITHMD5ANDDES"); > > StandardPBEByteEncryptor byteEncrypter = new StandardPBEByteEncryptor(); > > byteEncrypter.setPasswordCharArray(encPasswordChararray); > > byteEncrypter.setAlgorithm("PBEWITHMD5ANDDES"); > > byte[] encPasswordOrig = > "E1kAaW4HURBcJLDIRahhi3DBBov7r+DG".getBytes(charset); > > //byte[] decodedPasswordBytes = Base64.decode(encPasswordOrig); > > byte[] decryptedPasswordBytes = byteEncrypter.decrypt(encPasswordOrig); > > CharBuffer buff = charset.decode(ByteBuffer.wrap(decryptedPasswordBytes)); > > char[] tmp = new char[buff.limit()]; > > buff.get(tmp); > > System.out.println("decrypt:" + new String(tmp)); > > > > > > I tried to stick to the example from SecurityUtils.java and > GeoServerPBEPasswordEncoder.java but I always get a response that complains > about the last block incomplete in decryption or an incorrect padding. > > > > Can anybody help? > > > > Thank you very much, > > > > Michael > > > > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > > > > > -- > > DI Christian Mueller MSc (GIS), MSc (IT-Security) > > OSS Open Source Solutions GmbH > > > -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
