我使用Bouncy Castle提供程序创建了一个符合FIPS 140-2的凭据存储。正如文档中所描述的,首先我创建了扇区密钥:
keytool-genseckey-alias key-keyalg AES-keysize 256-keystore keystore.bcfks-storetype bcfks-storepass myPass-keypass myPass
然后我创建了像这样的机密存储
/subsystem=elytron/credential store=myCredentialstore:add(相对于=jboss.server.config.dir,credential reference={clear text="${ENC::myResolver:myEncodedExpression}"},实现属性={keyAlias=key,external=true,externalPath=credentialStore.bcfks,keyStoreType=bcfks},create=true,path=keystore.bcfk,modified=true(
凭据存储工作正常,但现在我需要以编程方式从中读取密码。我发现并尝试了两种方法。
解决方案1。
public static Password getpassword() throws CredentialStoreException {
Password storePassword = ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR,
MY_CLEAR_PASSWORD.toCharArray());
ProtectionParameter protectionParameter = new CredentialSourceProtectionParameter(IdentityCredentials.NONE.withCredential(new PasswordCredential(storePassword)));
Provider bcProvider = new BouncyCastleFipsProvider();
Security.addProvider(bcProvider);
KeyStoreCredentialStore keyStoreCredentialStore = new KeyStoreCredentialStore();
Map<String, String> kscsConfiguration = new HashMap<>();
String keystorePath = "myPath/keystore.bcfks";
String externalPath = "myPath/credentialStore.bcfks";
kscsConfiguration.put("location", keystorePath);
kscsConfiguration.put("modifiable", "true");
kscsConfiguration.put("keyStoreType", "BCFKS");
kscsConfiguration.put("keyAlias", "key");
kscsConfiguration.put("external", "true");
kscsConfiguration.put("externalPath", externalPath);
Provider[] providers = { bcProvider };
keyStoreCredentialStore.initialize(kscsConfiguration, protectionParameter, providers);
PasswordCredential passwordVredential = keyStoreCredentialStore.retrieve(WEBUSER_PASSWORD_ALIAS,
PasswordCredential.class,
KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE,
null,
protectionParameter);
return passwordVredential.getPassword();
}
使用此代码,我可以从凭据存储中读取别名,但也无法检索密码。我只是不知道如何将正确的参数放入retrieve((函数调用中。
解决方案2。
我尝试使用SeviceContainer,但调用CurrentServiceContainer.getServiceContainer((返回null。
public static String getClientSecret(字符串credentialStore,字符串secretAlias({final ServiceName SERVICE_NAME_CRED_STORE=("org"、"wildfly"、"security"、"credential STORE"(的ServiceName;final ServiceName sn=(SERVICE_NAME_CRED_STORE,credentialStore(的ServiceName;final ServiceRegistry registry=CurrentServiceContainer.getServiceContainer((;最终ServiceController<gt;credStoreService=registry.getService(sn(;final CredentialStore cs=(CredentialsStore(credStoreService.getValue((;if(!cs.exists(secretAlias,PasswordCredential.class(({抛出新的CredentialStoreException("Alias"+secretAlias+"未在凭证存储中找到"(;}最终密码;尝试{password=cs.retrieve(secretAlias,PasswordCredential.class(.getPassword((;}catch(CredentialStoreException e({e.printStackTrace((;返回null;}if(!(ClearPassword的密码实例(({抛出新的ClassCastException("密码不是ClearPassword类型"(;}返回new String(((ClearPassword(password(.getPassword(((;}
我该如何从那个凭据漏洞中检索密码?
除了管理模型本身之外,没有直接的方法可以获得和使用在服务器的管理模型中创建的加密表达式。
如果可以使用的话,可以尝试查看elytron加密模块中的凭据存储API。