SSL中的密码与Jetty教程

时间:2012-01-16 17:36:59

标签: ssl jetty

在此tutorial中,以下值来自何处?

  • passwordOBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
  • keyPasswordOBF:1u2u1wml1z7s1z7a1wnl1u2g
  • trustPasswordOBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4

4 个答案:

答案 0 :(得分:14)

前缀为OBF:的密码来自Jetty自己的系统,用于混淆密码。这里有更多文档:http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords

请注意,这是模糊处理而不是加密。它只是阻止人类快速阅读:

  

在某些情况下,例如密钥库密码和摘要式身份验证,   系统必须检索原始密码,这需要   混淆方法。混淆算法的缺点是   它可以保护密码免受偶然观看。

你也可以把它们弄清楚,它不会有太大变化。

在这种情况下,passwordkeyPasswordtrustPassword分别是密钥库的密码,密钥密码(如果密钥存储区与密钥存储区相同,则应该是可选的密码)和信任存储密码。这些是您在创建这些密钥库时设置的。

答案 1 :(得分:13)

某人(ack_ of the Norn Iron Hacker Scene)制作了一个Python脚本来反转Jetty密码混淆。当您需要将密钥库导出到其他程序时很有用。

# Jetty Deobfuscation Tool
from __future__ import print_function
import sys

def deobfuscate_jetty(ciphertext):
    plaintext = ""
    for i in range(0, len(ciphertext), 4):
        t = ciphertext[i:i + 4]
        i0 = int(t, 36)
        i1, i2 = divmod(i0, 256)
        x = (i1 + i2 - 254) >> 1
        plaintext += chr(x)
    return plaintext

if __name__ == '__main__':
    if len(sys.argv) == 2:
        print(deobfuscate_jetty(sys.argv[1]))
    else:
        print("Jetty Deobfuscation Tool v1.0")
        print("%s <string>" % sys.argv[0])
        exit(1)

答案 2 :(得分:3)

这让我有点疯狂。这是一个可用于生成各种密码的脚本。该脚本适用于此特定版本的jetty:jetty-hightide-8.1.10.v20130312,但可以通过JETTY_VER变量进行修改。

jetty-passwd.sh 

#!/bin/bash

# url: http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords
# set -x

if [ $# -ne 2 ]; then
  echo -e "\nUSAGE: `basename $0`: <user> <password>\n";
  exit 0;
fi

JETTY_VER=8.1.10.v20130312
JETTY_HOME=/opt/jetty-hightide-$JETTY_VER
java -cp $JETTY_HOME/lib/jetty-util-${JETTY_VER}.jar org.eclipse.jetty.util.security.Password $1 $2

示例运行

% ./jetty-passwd.sh me blah
blah
OBF:1t2x1toq1to41t39
MD5:6f1ed002ab5595859014ebf0951522d9
CRYPT:me/DjMjPzbKG.

答案 3 :(得分:0)

以下功能是Thilo的Python function的ES6端口。它可以用来对节点服务器上的密码进行模糊处理。

我还添加了一种我采用的模糊处理方法:arthepsy/deobf/jetty.obf.py

此外,我添加了一些mocha / chai测试以通过随机密码运行,以验证混淆/反混淆方法是对称的。

const
  clipText = (str, length) => `${str.slice(0, length)}…`,
  fill = (size, fn) => new Array(size).fill(0).map((_, i) => fn ? fn(i) : i);

/** test.js */
const main = () => {
  const
    generator = new PasswordGenerator({ symbols: true, length: 16 }),
    passwords = fill(100, () => generator.next());

  mocha.setup('bdd');
  chai.should();

  describe('Test JettyUtil', () =>
    passwords.forEach(pw => {
      const
        ciphertext = JettyUtil.obfuscate(pw),
        plaintext  = JettyUtil.deobfuscate(ciphertext);
      it(clipText(`${pw} → ${ciphertext}`, 64), () =>
        pw.should.equal(plaintext))
    }));

  mocha.run();
};

/** jetty-util.js */
const
  OBF_PREFIX = 'OBF:',
  divmod = (m, n) => [ Math.trunc(m / n), m % n ],
  unpack = (str) => str.split('').map(c => c.charCodeAt(0) & 0xFF),
  chunk = (str, size) => str.match(new RegExp(`.{1,${size}}`, 'g'));

class JettyUtil {
  static deobfuscate(ciphertext) {
    return chunk(ciphertext.slice(OBF_PREFIX.length), 4)
      .reduce((plaintext, i0) => {
          const [ i1, i2 ] = divmod(parseInt(i0, 36), 256);
        return plaintext + String.fromCharCode((i1 + i2 - 254) >> 1);
      }, '');
  }
  static obfuscate(plaintext) {
    return unpack(plaintext).reduce((ciphertext, b1, index, bytes) => {
      const b2 = bytes[bytes.length - (index + 1)],
        [ i1, i2 ] = [ 127 + b1 + b2, 127 + b1 - b2 ];
      return ciphertext + (i1 * 256 + i2).toString(36).padStart(4, '0');
    }, OBF_PREFIX);
  }
}
// export default JettyUtil;


/** password-generator.js */
const Alphabet = {
  UPPERCASE : 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
  LOWERCASE : 'abcdefghijklmnopqrstuvwxyz',
  NUMBERS   : '0123456789',
  SYMBOLS   : ' !"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'
};

class PasswordGenerator {
  constructor(config) {
    this.opts = { ...PasswordGenerator.defaultOptions, ...config };
    this.alphabet = Object.entries(this.opts)
      .map(([k, v]) => v === true ? Alphabet[k.toUpperCase()] : null)
      .filter(v => v != null)
      .join('');
  }
  next() {
    return fill(this.opts.length, () => rando(this.alphabet)).join('');
  }
}

PasswordGenerator.defaultOptions = {
  uppercase : true,
  lowercase : true,
  numbers   : true,
  symbols   : false,
  length    : 12
};

// export default PasswordGenerator;

main();
.as-console-wrapper { top: 0; max-height: 100% !important; }
<script src="https://randojs.com/2.0.0.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/mocha/7.2.0/mocha.min.js"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/mocha/7.2.0/mocha.css" />
<script src="https://cdnjs.cloudflare.com/ajax/libs/chai/4.2.0/chai.min.js"></script>
<div id="mocha"></div>

这是我的原始回复:

const divmod = (m, n) => [ ~~(m / n), m % n ];

const deobfuscate = (ciphertext) => {
  if (!ciphertext.startsWith('OBF:')) return null;
  let plaintext = '';
  for (let offset = 4; offset < ciphertext.length; offset += 4) {
    const i0 = parseInt(ciphertext.slice(offset, offset + 4), 36);
    const [ i1, i2 ] = divmod(i0, 256);
    plaintext += String.fromCharCode((i1 + i2 - 254) >> 1);
  }
  return plaintext;
};

const pwList = [
  'OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4', // storepwd
  'OBF:1u2u1wml1z7s1z7a1wnl1u2g',         // keypwd
];

pwList.forEach(pw => console.log(deobfuscate(pw)));

相关问题
最新问题