Optimize cryptographic signature in Oracle part 2: Finding the lost private key by manual decompilation
Introduction
🎯 Find the lost private key.
In part 1, we discussed migrating the cryptographic signature from a Java class in Oracle Database to a PL/SQL function leveraging DBMS_CRYPTO. This resulted in a 242 times speedup of the signing process.
In this post, we will explore the challenges faced in finding the correct private key and how we eventually succeeded.
A key lesson learned is to store your secrets in a safe place.
Failure #1: Finding the lost private key in source code
The customer provides the source code of the Java class. The private key is present in the source code. Simple: use this private key in the new PL/SQL code. Well, not so simple…
After comparing the results from the two functions, the old Java one and the new PL/SQL one, we realize that the results are different. So the private key must be different. The version of the source code is not the most recent one. And the customer does not have access to the latest one with the correct private key.
Failure #2: Finding the lost private key in automatically decompiled Java class
Same player, try again. We now try to identify the private key by decompiling the Java class. The Java class is stored in the Oracle database.
First, we export with the following PL/SQL code:
CREATE OR REPLACE DIRECTORY OUT_DIR AS '/tmp';
CREATE OR REPLACE PROCEDURE EXTRACT_CLASS_TO_FILE (classname IN VARCHAR2, outclassname IN VARCHAR2) IS
v_blob BLOB;
blob_length INTEGER;
out_file UTL_FILE.FILE_TYPE;
v_buffer RAW(32767);
chunk_size BINARY_INTEGER := 32767;
blob_position INTEGER := 1;
BEGIN
dbms_lob.createtemporary(v_blob, TRUE);
dbms_java.export_class(classname, 'MY_OWNER', v_blob);
blob_length := DBMS_LOB.GETLENGTH(v_blob);
DBMS_OUTPUT.PUT_LINE('Length of the blob/class: ' || blob_length);
out_file := UTL_FILE.FOPEN('OUT_DIR', outclassname, 'wb', chunk_size);
-- Write the BLOB to file in chunks
WHILE blob_position <= blob_length LOOP
IF blob_position + chunk_size - 1 > blob_length THEN
chunk_size := blob_length - blob_position + 1;
END IF;
DBMS_LOB.READ(v_blob, chunk_size, blob_position, v_buffer);
UTL_FILE.PUT_RAW(out_file, v_buffer, TRUE);
blob_position := blob_position + chunk_size;
END LOOP;
-- Close the file handle
UTL_FILE.FCLOSE(out_file);
END;
/
EXEC EXTRACT_CLASS_TO_FILE('SignMessage', 'SignMessage.class');
Second we retrieve the SignMessage.class from the server.
Third we decompile it using a Java decompiler. This generates the Java source code, with the key in the file.
But when we use that key in the PL/SQL code, it fails with an obscure error code. After trying a few times, we come to the conclusion that the key is incorrect.
Success: Finding the lost private key in manually decompiled Java class
Finally, we take a pass at manually decompiling the Java class.
What do I mean by that? It means looking at the byte code of the class directly. We experimented with byte arrays. We compiled simple byte arrays and decompiled the compiled version. Then, we realized that the way the zero value is encoded in the byte array is different in different versions of the Java class. Indeed, by looking at the automatically decompiled Java class, we found that there was not a single zero value byte in the array. After carefully examining the byte array in the Java class, we were able to find the lost zero in the key array and thus find the lost private key.
Takeaways: Store your secrets in a safe place
It is a best practice of modern application development and operations to store secrets securely. Those secrets include sensitive information such as API keys, passwords, and certificates. Dedicated tools for that purpose are HashiCorp Vault, Oracle Key Vault, Oracle Cloud Infrastructure Vault, or Oracle Wallet. These solutions offer robust encryption, granular access controls, and automated secret rotation, reducing the risk of unauthorized access and data breaches. Avoid hardcoding secrets in your codebase or storing them in configuration files. Instead, integrate these vaults with your applications. This approach ensures compliance, enhances security, and simplifies secret management at scale.