Does anybody know what encrypting technique is JDeveloper/SQL Developer using to persist credentials?

java oracle oracle-sqldeveloper jdeveloper
Nano Taboada picture Nano Taboada · Jun 23, 2009 · Viewed 30k times · Source

I'd be more than interesting for me to understand which technique is being used here to persist sensible data since I'm needing to implement a similar solution. Here's a sample connection configuration and the resulting exported snippet:

Oracle SQL Developer Connections 

<?xml version = '1.0' encoding = 'UTF-8'?>
    <References xmlns="http://xmlns.oracle.com/adf/jndi">
        <Reference name="My Connection" className="oracle.jdeveloper.db.adapter.DatabaseProvider" xmlns="">
        <Factory className="oracle.jdeveloper.db.adapter.DatabaseProviderFactory"/>
        <RefAddresses>
            <StringRefAddr addrType="user">
                <Contents>username</Contents>
            </StringRefAddr>
            <StringRefAddr addrType="password">
                <Contents>054D4844D8549C0DB78EE1A98FE4E085B8A484D20A81F7DCF8</Contents>
            </StringRefAddr>
        <SKIPPED />
        </RefAddresses>
    </Reference>
</References>

Any advice would be really appreciated.

Answer

Adam Paynter picture Adam Paynter · Jun 24, 2010

For the curious, what you're actually seeing is the secret key concatenated with the encrypted password. For example, I tried encrypting the password "SAILBOAT" using:

DatabaseProviderHelper.goingOut("SAILBOAT")

In this particular instance, the result was:

0527C290B40C41D71139B5E7A4446E94D7678359087249A463

The first byte is constant:

05

The next 8 bytes represent the randomly generated secret key (for the DES cipher):

27C290B40C41D711

The remaining bytes are the encrypted password:

39B5E7A4446E94D7678359087249A463

Therefore, to decrypt the password, you simply use this:

public static byte[] decryptPassword(byte[] result) throws GeneralSecurityException {
    byte constant = result[0];
    if (constant != 5) {
        throw new IllegalArgumentException();
    }

    byte[] secretKey = new byte[8];
    System.arraycopy(result, 1, secretKey, 0, 8);

    byte[] encryptedPassword = new byte[result.length - 9];
    System.arraycopy(result, 9, encryptedPassword, 0, encryptedPassword.length);

    byte[] iv = new byte[8];
    for (int i = 0; i < iv.length; i++) {
        iv[i] = 0;
    }

    Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(secretKey, "DES"), new IvParameterSpec(iv));
    return cipher.doFinal(encryptedPassword);
}

Related questions

The full pathname of a JDK installation for Oracle SQL Developer

I want to run Oracle SQL Devloper on Ubuntu with this command: sh sqldeveloper/sqldeveloper.sh Then I got this message: Type the full pathname of a JDK installation (or Ctrl-C to quit), the path will be stored in /home/…

Read More
How can I run Oracle SQL Developer on JDK 1.6 and everything else on 1.7?

How can I run Oracle SQL Developer on a version of Java it supports (1.6) while running Java 1.7 for everything else? I can install both JDK's on my system, but I'm concerned with changing environment variables and having it affect more …

Read More
Oracle SQLDeveloper on MacOS won't open after installation of correct Java

I downloaded the Oracle SQLDeveloper, but when I opened it, it said that it requires a minimum of Java 8 and gave me the website for the download. I went on and downloaded Java 10.0.1, but when I went back on to …

Read More