Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


ssoDecrypt is a small tool for decrypting Oracle (local) autologin wallets (cwallet.sso). Only 11g wallets are currently supported.

Oracle autologin wallets are integrated in several Oracle productions and used for

  • Certificates (HTTP Server, Internet Directory, ... )
  • Secure External Password Store
  • Advanced Security Option (ASO)
  • ...



  1. Patch JRE with JCE Unlimited Strength Jurisdiction Policy

  2. Download PoC from (see "oks" requirement) and copy the content of the "oks" folder into ssoDecryptor/libs/

  3. Compile

    javac -cp .:libs/:libs/bcprov-jdk16-145.jar
  4. Run:

    ./ /path/to/cwallet.sso [ ]

The username and hostnames arguments are for the local SSO wallet (see "Background" for more infos).

Convert SSO Wallet to a normal PKCS#12 file

The SSO wallet key in raw format should be written into a file (cwallet.key) to be binary safe.

Get key and copy cwallet.sso to newP12wallet.p12 without SSO header (first 77 bytes):

[oracle@server ~]$ ./ /path/to/cwallet.sso
sso key: 7f76ebcc0b326c81
sso secret: 52d76a43e5dd847053cdeb0f1dd3ed6a8d1bead0c0de9747
obfuscated password: 07344b6c491f24470956332c68164657
p12 password (hex): 37472315037178586d7728675d677c73

[oracle@server ~]$ echo 37472315037178586d7728675d677c73 | xxd -p -r > cwallet.key 
[oracle@server ~]$ dd if=/path/to/cwallet.sso of=newP12wallet.p12 bs=1 skip=77
[oracle@server ~]$ openssl pkcs12 -in newP12wallet.p12 -nodes -passin file:cwallet.key 
MAC verified OK

Then change the password of the new PKCS#12 wallet

[oracle@server ~]$ orapki wallet change_pwd -wallet newP12wallet.p12 -oldpwd `cat cwallet.key` -newpwd test1234
[oracle@server ~]$ openssl pkcs12 -in newP12wallet.p12 -nodes -passin pass:test1234
MAC verified OK


File structure of 11g cwallet.sso

0x00 - 0x4C     Header:
    0x00 - 0x02     First 3 bytes are always A1 F8 4E (wallet recognition?!)
    0x03            Type = SSO: 36; LSSO: 38
    0x04 - 0x06     00 00 00
    0x07            Version (10g: 05; 11g:  06)
    0x08 - 0x0A     00 00 00
    0x0B - 0x0C     11g: always the same (41 35)
    0x0D - 0x1C     DES key
    0x1D - 0x4C     DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12 password
0x4D - EOF      PKCS#12 data (ASN.1 block)

Local SSO wallet

In the local SSO wallet version (-auto_login_local), the decrypted DES secret is a message which needs to be hashed (HMAC SHA1) with a key to get the actual PKCS#12 password. This key is made up of username and hostname of the corresponding system where the wallet was created. If the key is unknown it is not possible to open the local SSO wallet.


🔓 Decrypts Oracle autologin wallets



No packages published


You can’t perform that action at this time.