0

Our customer complains about stored encryption key in the Tomcat context.xml as plain text (well, he is definitely right at this point). And he wants to use external keystore to store this encryption key.

I was able to create a keystore and put a symmetric key in there with following command:

keytool -importpassword -alias encryption-key -keystore your.keystore -storetype pkcs12

This keystore has the 'PSCS12' type and, actually, can store symmetric keys. My stored password has an alias, which is 'encryption-key'. 'your.keystore' is a keystore file.

But i have a problem - i can not extract it.

If i will try to extract if from the java code - then i will need to provide salt and iterations count, like this:

final SecretKey secretKey = (SecretKey) keyStore.getKey(alias, password.toCharArray());
    System.out.println("[*] Encryption algorithm: " + secretKey.getAlgorithm());


    Cipher cipher = Cipher.getInstance(secretKey.getAlgorithm());
    AlgorithmParameterSpec algorithmParameterSpec = new PBEParameterSpec(SALT, ITERATION_COUNT);

    cipher.init(Cipher.DECRYPT_MODE, secretKey, algorithmParameterSpec);
    String decryptedData = Arrays.toString(cipher.doFinal(secretKey.getEncoded()));
    System.out.println("Decrypted Key: " + decryptedData);

But i'm not sure which values i should provide to it, because i was storing my passphrase using the command line.

Encryption algorithm that are being used is PBEWithMD5AndDES. I can see my stored passphrase in a debugger session, i can actually see even a passphrase length, but i can not decrypt it.

So, what are my options here? Customer wants to have a standard implementation (JCA). How can i extract my passphrase that was generated with a command above?

Danil Gordeev
  • 33
  • 5

1 Answers1

0

forget it, i'm stupid. it turns out that i always had the right value, it just was in the HEX format.

So, if you want to have a keystore and put there some value (just a string, not keys pair), then you will need to:

$ keytool -importpassword -alias encryption-key -keystore your.keystore -storetype pkcs12 -storepass testtest # create a keystore and store a single value

where -importpassword is used to store single passphrase

-alias is an alias for your passphrase

-keystore is a keystore file obviously

- storetype pkcs12 is used to store symmetric key (just a passphrase, not a key pair)

-storepass is a password for your keystore (not for your passphrase)

Then you can use following code example to extract your key:

import javax.crypto.SecretKey;
import java.io.FileInputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;

public class Main {
    private static final String WORKING_DIRECTORY = "/path/to/directory/where/keystore/is/placed/";
    private static final String FILE_NAME = "your.keystore";
    private static final String KEYSTORE_PASSWORD = "testtest";
    private static final String SECRET_KEY_ALIAS = "encryption-key";

    public static void main(String[] argv) throws Exception {
        final FileInputStream is = new FileInputStream(WORKING_DIRECTORY + FILE_NAME); // load a keystore from file
        final KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); // initialize a keystore
        keystore.load(is, KEYSTORE_PASSWORD.toCharArray()); // authorize in the keystore

        extract(SECRET_KEY_ALIAS, KEYSTORE_PASSWORD, keystore); // extract stored password from the keystore
    }

    static void extract(final String alias, final String password, final KeyStore keyStore) throws Exception {
        final SecretKey secretKey = (SecretKey) keyStore.getKey(alias, password.toCharArray());
        System.out.println("[*] Encryption algorithm: " + secretKey.getAlgorithm());

        System.out.println("[*] Converting stored key from HEX to string");
        System.out.println("[+] Stored key: " + new String(secretKey.getEncoded(), StandardCharsets.UTF_8));
    }
}
Danil Gordeev
  • 33
  • 5