Connect to Wildfly Elytron's Credential Store with Masked Password

Question

I have a credential store that I created with Elytron's tool giving a clear text password: "mypassword". In my Java program I can connect to the store with the following code;

Password storePassword = ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR,"mypassword");
CredentialStore.ProtectionParameter protectionParameter = new CredentialStore.CredentialSourceProtectionParameter(
                    IdentityCredentials.NONE.withCredential(new PasswordCredential(storePassword)));
Provider provider = new WildFlyElytronPasswordProvider();
Security.addProvider(provider);
CredentialStore credentialStore = CredentialStore.getInstance(KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE);
// Configure and Initialise the CredentialStore
String configPath = System.getProperty("jboss.server.data.dir");
Map<String, String> configuration = new HashMap<>();
String path = configPath + File.separator + "credentials" + File.separator + "csstore.jceks";
configuration.put("keyStoreType", "JCEKS");
configuration.put("location", path);
configuration.put("modifiable", "false");
//Initialize credentialStore
credentialStore.initialize(configuration, protectionParameter);

However, I now want to connect to the credential store with an encrypted password instead of a clear text. For this purpose, I again used Elytron's tool to create a Masked Passowrd of "mypassword" with the following command;

elytron-tool.sh mask --salt 12345678 --iteration 123 --secret mypassword;

Here the values for salt and iteration are just random, could be anything. The above command gives me the masked password which is;

MASK-38PaKyS.9hHaRq7pAaE5tB;12345678;123

I now need a way to connect to credential store with this masked password within my Java program. I found that there is also a class called "MaskedPassword" which I might use but I couldn't find out how.

Any suggestions?

Answer 1

We can create it using the below code...

Password storePassword = MaskedPassword.createRaw(MaskedPassword.ALGORITHM_MASKED_MD5_DES, <CREDENTIAL_STORE_ENTRY_PREFIX>.toCharArray(), 120,"12345678".getBytes(StandardCharsets.UTF_8),"MASK-38PaKyS.9hHaRq7pAaE5tB".getBytes(StandardCharsets.UTF_8)); .... ....

Answer 2

When you use elytron tool to generate masked password then you get string with prefix MASK- and suffix with salt and iteration in your case - MASK-38PaKyS.9hHaRq7pAaE5tB;12345678;123

you can use below piece of code to decrypt the masked password,

private char[] getUnmaskedPass(String maskedPassword) throws GeneralSecurityException {
        int maskLength = enter code here"MASK-".length();
        if (maskedPassword == null || maskedPassword.length() <= maskLength) {
            throw new GeneralSecurityException();
        }
        String[] parsed = maskedPassword.substring(maskLength).split(";");
        if (parsed.length != 3) {
            throw new GeneralSecurityException();
        }
        String encoded = parsed[0];
        String salt = parsed[1];
        int iteration = Integer.parseInt(parsed[2]);
        PasswordBasedEncryptionUtil encryptUtil = new PasswordBasedEncryptionUtil.Builder().picketBoxCompatibility().salt(salt).iteration(iteration)
                .decryptMode().build();

        return encryptUtil.decodeAndDecrypt(encoded);
    }

Now you can use this in your piece of code as a clearPassword. I hope that helped.

Source - https://github.com/wildfly-security/wildfly-elytron-tool/blob/master/src/main/java/org/wildfly/security/tool/MaskCommand.java static char[] decryptMasked(String maskedPassword)