3

We would like to make a java-based solution which can decrypt the secrets of Ansible vault, depending on this very clever blog

We made a java test solution to check the working of the python code but the result of the first step wasn’t the expected. We would like to ask some help about the problem. Why don’t we get the correct result? Is it possible that the python-based method doesn’t work the same way as the java-based method?

@Test
public void testFirstStepOfImplementation() throws NoSuchAlgorithmException, In-validKeySpecException {
   String salt = "33343835306666636239373663396363643766613363343837646633343933376633323964663030313461623564666130643664313438333363373037623365";
   String hmac = "66346632303234363338306133646136393261363338616337613039363435313631343437323164386661326633313339396238396236346239333863663265";
   String encryptedBytes = "653036663266373533343232393838343161396564333963643632653932303861356361316561303465373566373961393231343861623064313765643465376335666665326331323061373237336639356165393563613765663864366231";
   String saltAscii = hexToAscii(salt);
   System.out.println(saltAscii);
   System.out.println(hexToAscii(hmac));
   System.out.println(hexToAscii(encryptedBytes));
   final Charset asciiCs = Charset.forName("UTF-8");
   SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");

   // Here is the problematic method call
   PBEKeySpec spec = new PBEKeySpec(asciiCs.encode("password").toString().toCharArray(), hex-ToAscii(saltAscii).getBytes(), 10000, 80 * 8);

   SecretKey tmp = factory.generateSecret(spec);
   System.out.println(bytesToHex(tmp.getEncoded()));

   // It must be:
   // # KDF (80 bytes)
   // fc4a21fb71bfaad6a0bbb078f0704721
   // ccad80519fc349c3ff14268fced14203
   // 9bfb1a43effdfb8f8d7119387fccec54
   // 8859c7fccc26589a65a2ee856e05763f
   // 394f9f4a44152b33234cba44c930921b
}

But the result of the code was:

b4f0b2c365a1ab6d2abaa18f687078896a739ca97fe55dbd5c0e0ceea0d82d0391938442c5e1db2c5f6e2e944a9338f452cecb3892751ef27677f5cb29129943a558c17eaddbddf71c1835b3cd5494ce

Instead of the good one:

fc4a21fb71bfaad6a0bbb078f0704721ccad80519fc349c3ff14268fced142039bfb1a43effdfb8f8d7119387fccec548859c7fccc26589a65a2ee856e05763f394f9f4a44152b33234cba44c930921b

Skuld
  • 123
  • 1
  • 6
thomas.m
  • 31
  • 3
  • 1
    Here is a Java library that claims to be able to do this: https://github.com/Wedjaa/JavaAnsibleVault – Thilo Jul 24 '19 at 11:51
  • Why is this tagged `PowerShell` ? – Theo Jul 24 '19 at 13:59
  • @Theo I gave the label 'powershell' because of the blog post which I mentioned at the beginning of my post. But it wasn't relevant at this context as you pointed. Thx for moderation. – thomas.m Jul 25 '19 at 10:53
  • @thomas.m Were you able to solve this issue? I'm having a similar problem – Suresh Raja Oct 29 '20 at 21:28

0 Answers0