Passwords in SSL with Jetty tutorial

Question

In this tutorial , where are the following values coming from?

• password (OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4)
• keyPassword (OBF:1u2u1wml1z7s1z7a1wnl1u2g)
• trustPassword (OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4)

Answer 1

Someone (ack_ of the Norn Iron Hacker Scene) made a Python script to reverse the Jetty password obfuscation. Useful when you need to export the keystore to other programs.

# Jetty Deobfuscation Tool
from __future__ import print_function
import sys

def deobfuscate_jetty(ciphertext):
    plaintext = ""
    for i in range(0, len(ciphertext), 4):
        t = ciphertext[i:i + 4]
        i0 = int(t, 36)
        i1, i2 = divmod(i0, 256)
        x = (i1 + i2 - 254) >> 1
        plaintext += chr(x)
    return plaintext

if __name__ == '__main__':
    if len(sys.argv) == 2:
        print(deobfuscate_jetty(sys.argv[1]))
    else:
        print("Jetty Deobfuscation Tool v1.0")
        print("%s <string>" % sys.argv[0])
        exit(1)

Answer 2

The passwords prefixed with OBF: come from Jetty's own system for obfuscating passwords. There is more documentation here: http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords

Note that this is obfuscated and not encrypted. It just prevents a human from reading it quickly:

In some cases such as keystore passwords and digest authentication, the system must retrieve the original password, which requires the obfuscation method. The drawback of the obfuscation algorithm is that it protects passwords from casual viewing only.

You could put them in clear too, it wouldn't change much.

In this case, the password, keyPassword and trustPassword are respectively the passwords for the key store, the key password (that should be optional if it's the same as the key store password) and the trust store password. These are the ones you set when you create these keystores.

Answer 3

This was driving me kind of crazy too. Here's a script that you can use to generate the various passwords. The script works with this particular version of jetty: jetty-hightide-8.1.10.v20130312, but can be modified through the JETTY_VER variable.

jetty-passwd.sh

#!/bin/bash

# url: http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords
# set -x

if [ $# -ne 2 ]; then
  echo -e "\nUSAGE: `basename $0`: <user> <password>\n";
  exit 0;
fi

JETTY_VER=8.1.10.v20130312
JETTY_HOME=/opt/jetty-hightide-$JETTY_VER
java -cp $JETTY_HOME/lib/jetty-util-${JETTY_VER}.jar org.eclipse.jetty.util.security.Password $1 $2

example run

% ./jetty-passwd.sh me blah
blah
OBF:1t2x1toq1to41t39
MD5:6f1ed002ab5595859014ebf0951522d9
CRYPT:me/DjMjPzbKG.