/birt-deconp-editor

BIRT Default Encrypted Connection Profile Editor

Primary LanguageC#MIT LicenseMIT

BIRT default encrypted connection profile editor

Tool to decypt, edit and re-encrypt BIRT Connection Profile Files (DataSource).

howto

This is a proof of concept, no final product!

Motivation

BIRT Eclipse Plugin gets less frequently updates to support the latest Library/IDE/Java Versions (there is now a Fork), slow to use, heavy setup, not as portable as single .exe file.
The Default Configuration of BIRT that is propably mostly used (enabled through a checkbox within Eclipse BIRT Plugin at File creation), uses a symmetrical device indepened encryption (key). (security by obscurity)

Research

  • Stackoverflow: Can we encrypt the BIRT Connection Profile without Eclipse IDE?
  • Eclipse Forum: encryption method for connection profile files

    The encryption is configurable but uses the java crypto packages.
    The default version has the key embedded in the plugin and is defined in the DefaultCipherProvider class in
    the DTP projects org.eclipse.datatools.connectivity project.
    It is called by the ConnectionProfileMgmt class in the same project.
    Are you using a php->java bridge?
    If so you may be able to use similar code to write these profiles.

  • Eclipse BugTracker: How BIRT Encrypts the Connection Profile file

    BIRT simply uses the built-in encryption capabilities (DefaultCipherProvider implementation) provided by DTP connectivity.
    It is triggered by the checkbox control for "Encrypt file content" in the "Export Connection Profiles" dialog.

  • Eclipse Forum: BIRT encryption algorithm - FIPS compliance

    The algorithm should not be a problem, the secret key however should be kept -ehm- secret :-)

  • Stackoverflow: BIRT report how to decrypt password from db and show

    IF you mean the DB password that is stored in the properties of a DataSource in a .rptdesign or .rptlibrary file: This is only base64-encrypted (slightly better than clear text). So decrypting it is easy.

  • Source Code
    • DTP Source Code
    • Important Files:
      • DefaultCipherProvider.java
        plugins\connectivity\org.eclipse.datatools.connectivity\src\org\eclipse\datatools\connectivity\internal\security\DefaultCipherProvider.java
      • cpkey plugins\connectivity\org.eclipse.datatools.connectivity\src\org\eclipse\datatools\connectivity\internal\security\cpkey
      • ConnectionProfileMgmt.java
        plugins\connectivity\org.eclipse.datatools.connectivity\src\org\eclipse\datatools\connectivity\internal\ConnectionProfileMgmt.java
      • ImportProfilesDialog.java
        plugins\connectivity\org.eclipse.datatools.connectivity.ui\src\org\eclipse\datatools\connectivity\internal\ui\wizards\ImportProfilesDialog.java
    • The File cpkey in imported through ObjectInputStream() and readObject().
      The SecretKeySpec is converted with generateSecret() (SecretKeyFactory) to a Class SecretKey
      • The File contains the Code Objekt (Instance) with the Key.
    • With the Help of cpkeyExampleCreate.java its possible to Create a similar File but with a known Key. The Comparison (through Hex Editor) reveals the unknown Key as the follwing: EA F1 57 FB FD F2 6E 0E 3B 9D C8 7F 16 0B 91 25 EA F1 57 FB FD F2 6E 0E
      • Example: The File cpkeyExample contains the Key Example, compaired with cpkey the Key is (cpkey24Byte.hex) based on the differences
      • Additional: loadKey() of DefaultCipherProvider uses a 24 Byte Key. (see DESedeKeySpec Constructor)

The PoC Application

  • .NET Core C# Program developed within Visual Studio Code
    • to create single .exe File (strg+shift+p -> run task -> publish)
  • internal Procedure
    • load File
    • DESede decryption with Key
    • change File Content through Editor (notepad.exe) (File Content temporarly enecrypted within Windows default Temp Folder(s))
    • DESede encryption with Key
    • overwrite File
  • User interaction
    • File Drag & Drop onto Appliction .exe
    • File Path through Application parameter
  • difficulties