[ https://issues.jboss.org/browse/ELY-1189?page=com.atlassian.jira.plugin.s... ] Peter Skopek commented on ELY-1189: ----------------------------------- pskopek commented on 11 Jan We need this new type of credential store to properly define decrypt "facility" of masked passwords. https://issues.jboss.org/browse/ELY-868 Example of usage: {code:xml} <credential-stores> <credential-store name="test" relative-to="jboss.server.data.dir"> <uri>cr-store://test?create.storage=true</uri> <credential-reference store="masked-cs" alias="MASK-OCwoJ1d1RyGXVkUEuVCouA=="/> </credential-store> <credential-store name="masked-cs" type="PasswordBasedEncryptionCredentialStore"> <uri>cr-store://masked-cs?salt=SALTsalt;iteration=234;keyAlgoritm=PBEWithHmacSHA1andAES_128;encodedIV=WzVT5uUpEoXAPihMYzAIhQ==</uri> <credential-reference clear-text="ThisIsStrangeInitialKey"/> </credential-store> </credential-stores> {code} dmlloyd commented on 11 Jan I disagree with this change; using a whole credential store for one password format seems wrong. Instead we should be using "MaskedPassword" in a regular credential store, or even in places where regular passwords are allowed as a special expression (I believe previously we used "MASK-" for this purpose). pskopek commented on 11 Jan This change will allow several credential-references to use one set of parameters to PBE algorithm. credential-reference can be used elsewhere in other subsystems. I thought we are not going to use special expressions to supply passwords and we leave what we have to PicketBox vault/MASK usage. pskopek commented on 11 Jan oops, I see the problem. Putting this on hold to fix it. dmlloyd commented on 11 Jan Vault expressions should go, yes. But I think there are good arguments for allowing masked passwords to be used in places where clear passwords would otherwise be allowed. pskopek commented on 11 Jan I agree that masked passwords should be used at places where clear passwords are allowed. Only problem is that we have to separate IV and InitialKey definitions/locations from salt and iteration. My idea is to use new type of credential store for IV and InitialKey and credential-reference or special expression will hold salt, iteration and actual encrypted data. Do you agree @dmlloyd ? dmlloyd commented on 11 Jan If the masked form of the password depends on IV then I guess the IV should be part of the MaskedPassword itself... then things which represent a masked password in text form would have to have configuration to tell what IV to use. Where do we store the IV today under PB? dmlloyd commented on 11 Jan The work of @zregvart is also tied into this. pskopek commented on 11 Jan As far as I remember PB is using different algorithm "PBEwithMD5andDES" which doesn't require IV. Sure IV could be part of MaskedPassword, but still we have the InitialKey. It could be constant like in PB but having chance to store it inside credential store will be much better. -- This message was sent by Atlassian JIRA (v7.2.3#72005)