javawildflycredentialselytron

Connect to Wildfly Elytron's Credential Store with Masked Password


I have a credential store that I created with Elytron's tool giving a clear text password: "mypassword". In my Java program I can connect to the store with the following code;

Password storePassword = ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR,"mypassword");
CredentialStore.ProtectionParameter protectionParameter = new CredentialStore.CredentialSourceProtectionParameter(
                    IdentityCredentials.NONE.withCredential(new PasswordCredential(storePassword)));
Provider provider = new WildFlyElytronPasswordProvider();
Security.addProvider(provider);
CredentialStore credentialStore = CredentialStore.getInstance(KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE);
// Configure and Initialise the CredentialStore
String configPath = System.getProperty("jboss.server.data.dir");
Map<String, String> configuration = new HashMap<>();
String path = configPath + File.separator + "credentials" + File.separator + "csstore.jceks";
configuration.put("keyStoreType", "JCEKS");
configuration.put("location", path);
configuration.put("modifiable", "false");
//Initialize credentialStore
credentialStore.initialize(configuration, protectionParameter);

However, I now want to connect to the credential store with an encrypted password instead of a clear text. For this purpose, I again used Elytron's tool to create a Masked Passowrd of "mypassword" with the following command;

elytron-tool.sh mask --salt 12345678 --iteration 123 --secret mypassword;

Here the values for salt and iteration are just random, could be anything. The above command gives me the masked password which is;

MASK-38PaKyS.9hHaRq7pAaE5tB;12345678;123

I now need a way to connect to credential store with this masked password within my Java program. I found that there is also a class called "MaskedPassword" which I might use but I couldn't find out how.

Any suggestions?


Solution

  • When you use elytron tool to generate masked password then you get string with prefix MASK- and suffix with salt and iteration in your case - MASK-38PaKyS.9hHaRq7pAaE5tB;12345678;123

    you can use below piece of code to decrypt the masked password,

    private char[] getUnmaskedPass(String maskedPassword) throws GeneralSecurityException {
            int maskLength = enter code here"MASK-".length();
            if (maskedPassword == null || maskedPassword.length() <= maskLength) {
                throw new GeneralSecurityException();
            }
            String[] parsed = maskedPassword.substring(maskLength).split(";");
            if (parsed.length != 3) {
                throw new GeneralSecurityException();
            }
            String encoded = parsed[0];
            String salt = parsed[1];
            int iteration = Integer.parseInt(parsed[2]);
            PasswordBasedEncryptionUtil encryptUtil = new PasswordBasedEncryptionUtil.Builder().picketBoxCompatibility().salt(salt).iteration(iteration)
                    .decryptMode().build();
    
            return encryptUtil.decodeAndDecrypt(encoded);
        }
    

    Now you can use this in your piece of code as a clearPassword. I hope that helped.

    Source - https://github.com/wildfly-security/wildfly-elytron-tool/blob/master/src/main/java/org/wildfly/security/tool/MaskCommand.java static char[] decryptMasked(String maskedPassword)