<div dir="ltr"><div>Hello,<br></div><div><br></div><div>I started to take a quick look at [1], for a better encryption of the passphrase for all the iOS variants (stored as plaintext ATM). For that I started looking at our neat Pbkdf2 class, from AeroGear-Crypto.</div>
<div><br></div><div>The idea is to store both: the encrypted password + the salt in the database, instead of the plaintext version of the password/passphrase.</div><div><br></div><div>Something like here:</div><div><br></div>
<div><a href="https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/LittleTest.java#L35-L43">https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/LittleTest.java#L35-L43</a><br>
</div><div><br></div><div>This works fine on things like logins:</div><div><br></div><div><a href="https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/LittleTest.java#L46-L54">https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/LittleTest.java#L46-L54</a></div>
<div><br></div><div>However, I am afraid it does not work for the iOS passphrase, required to connect to Apple - looks like the library we use requires it in plain text... (due to Apple? Not sure...)</div><div><br></div><div>
<a href="https://github.com/notnoop/java-apns/blob/master/src/main/java/com/notnoop/apns/ApnsServiceBuilder.java#L159">https://github.com/notnoop/java-apns/blob/master/src/main/java/com/notnoop/apns/ApnsServiceBuilder.java#L159</a></div>
<div><br></div><div>BTW. here is the relevant usage inside of our UnifiedPush Server:</div><div><br></div><div><a href="https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/server/src/main/java/org/jboss/aerogear/unifiedpush/message/sender/APNsPushNotificationSender.java#L146">https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/server/src/main/java/org/jboss/aerogear/unifiedpush/message/sender/APNsPushNotificationSender.java#L146</a></div>
<div><br></div><div>I am now wondering if there is something we can do for [1], in the long run, not now? </div><div><br></div><div>I see the 'java-apns API' supports passing in a java.security.Keystore, but unfortunately I am not sure if there is an impl. of that which is able to deal w/ encrypted passwords or if something like that might even work at all :-/</div>
<div><br></div><div><br></div><div>Greetings,</div><div>Matthias</div><div><br></div><div>[1] <a href="https://issues.jboss.org/browse/AGPUSH-358">https://issues.jboss.org/browse/AGPUSH-358</a></div><div><br></div>-- <br>
Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>