Connect to Wildfly Elytron's Credential Store with Masked Password

[Özgen Erbakan]

I have a credential store that I created with Elytron's tool giving a clear text password: "mypassword". In my Java program I can connect to the store with the following code;

Password storePassword = ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR,"mypassword"); CredentialStore.ProtectionParameter protectionParameter = new CredentialStore.CredentialSourceProtectionParameter( IdentityCredentials.NONE.withCredential(new PasswordCredential(storePassword))); Provider provider = new WildFlyElytronPasswordProvider(); Security.addProvider(provider); CredentialStore credentialStore = CredentialStore.getInstance(KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE); // Configure and Initialise the CredentialStore String configPath = System.getProperty("jboss.server.data.dir"); Map<String, String> configuration = new HashMap<>(); String path = configPath + File.separator + "credentials" + File.separator + "csstore.jceks"; configuration.put("keyStoreType", "JCEKS"); configuration.put("location", path); configuration.put("modifiable", "false"); //Initialize credentialStore credentialStore.initialize(configuration, protectionParameter);

However, I now want to connect to the credential store with an encrypted password instead of a clear text. For this purpose, I again used Elytron's tool to create a Masked Passowrd of "mypassword" with the following command;

elytron-tool.sh mask --salt 12345678 --iteration 123 --secret mypassword;

The above command gives me the masked password which is;

MASK-38PaKyS.9hHaRq7pAaE5tB;12345678;123

I now need a way to connect to credential store with this masked password within my Java program. I found that there is also a class called "MaskedPassword" which I might use but I couldn't find out how.

Any suggestions?

[Catalin Moga]

Hi,

Any findings on this topic?

Thanks!

[Diana Krepinska]

You can take a look at this discussion https://wildfly.zulipchat.com/#narrow/stream/173102-wildfly-elytron/topic/Help.20for.20using.20encrypted.20expressions/near/300204015 where Ricardo posted how to unmask masked password in order to initialize a credential store programmatically. Posting his relevant code snippet below:

private PasswordCredential unmaskPassword(String secret) throws GeneralSecurityException {

    if (!secret.startsWith("MASK-")) { throw new NoSuchAlgorithmException("Password should be masked!"); }

    String[] part = secret.substring(5).split(";"); if (part.length != 3) { throw new CredentialStoreException("Invalid mask!"); }

     int iterationCount = Integer.parseInt(part[2]);

     PasswordBasedEncryptionUtil decryptUtil = new PasswordBasedEncryptionUtil.Builder() .picketBoxCompatibility() .salt(part[1]) .iteration(iterationCount) .decryptMode() .build();

    return new  PasswordCredential(ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR, decryptUtil.decodeAndDecrypt(part[0])));

}

public CredentialStoreUtil(String location, String secret) throws GeneralSecurityException {

    // secret is in MASK to avoid plain passwords

    PasswordCredential pwd = unmaskPassword(secret);

    // open the credential store

    Map<String, String> csAttributes = new HashMap<>(); csAttributes.put("location", location);

     csAttributes.put("keyStoreType", "JCEKS"); cs = CredentialStore.getInstance(KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE);

    cs.initialize(csAttributes, new CredentialStore.CredentialSourceProtectionParameter( IdentityCredentials.NONE.withCredential(pwd)));