wildflyelytron

How to generate masked passwords for elytron?


I'd like to replace my clear text password I use in wildfly-config.xml with masked passwords, which seems to be supported in WildFly 18. I've tried using the elytron-tool to generate the masked password:

./elytron-tool.sh mask --salt 12345678 --iteration 12 --secret password
MASK-2FVkvIpoGRstP19QEZ76qE;12345678;12

Then I've converted the hash ("2FVkvIpoGRstP19QEZ76qE") to base64 and added in wildfly-config.xml

<credentials>
        <masked-password iteration-count="12" salt="12345678" masked-password="MkZWa3ZJcG9HUnN0UDE5UUVaNzZxRQ=="/>
</credentials>
<sasl-mechanism-selector selector="DIGEST-MD5"/>

However it fails with:

Caused by: java.security.spec.InvalidKeySpecException: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
    at org.wildfly.security.password.impl.MaskedPasswordImpl.unmask(MaskedPasswordImpl.java:182)
    at org.wildfly.security.password.impl.MaskedPasswordImpl.<init>(MaskedPasswordImpl.java:76)
    at org.wildfly.security.password.impl.MaskedPasswordImpl.<init>(MaskedPasswordImpl.java:96)
    at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineGeneratePassword(PasswordFactorySpiImpl.java:476)
    at org.wildfly.security.password.PasswordFactory.generatePassword(PasswordFactory.java:151)
    at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseMaskedPassword$55(ElytronXmlParser.java:2748)
    ... 21 more
Caused by: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:936)
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847)
    at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
    at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
    at javax.crypto.Cipher.doFinal(Cipher.java:2164)
    at org.wildfly.security.password.impl.MaskedPasswordImpl.unmask(MaskedPasswordImpl.java:180)

So it seems my process for generating the masked password is wrong. Can you advice any tool/shell command that will generate a valid masked password? Thanks a lot

Solution

  • You can find a sample code which generates the masked password in the Jboss' developer blog: https://developer.jboss.org/people/aabdelsa/blog/2019/09/05/support-for-masked-passwords-in-the-client-xml-configuration Hope it helps