Commit 2d0671c6 authored by michael.simon's avatar michael.simon
Browse files

Apply salt to hashed passwords

parent c93a9394
......@@ -3,8 +3,11 @@ package edu.kit.scc.webreg.service.reg;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Random;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
......@@ -14,16 +17,31 @@ import org.slf4j.Logger;
@ApplicationScoped
public class PasswordUtil {
public static final int SALT_LENGTH = 8;
@Inject
private Logger logger;
private Random random;
@PostConstruct
public void init() {
logger.info("Initializing PasswordUtil");
random = new SecureRandom();
}
public String generatePassword(String hashMethod, String password)
throws NoSuchAlgorithmException, UnsupportedEncodingException {
MessageDigest md = MessageDigest.getInstance(hashMethod);
byte[] bytes = password.getBytes(("UTF-8"));
byte[] pwBytes = password.getBytes(("UTF-8"));
byte[] salt = generateSalt();
byte[] bytes = new byte[pwBytes.length + salt.length];
System.arraycopy(pwBytes, 0, bytes, 0, pwBytes.length);
System.arraycopy(salt, 0, bytes, pwBytes.length, salt.length);
md.update(bytes);
byte[] digest = md.digest();
String hash = "{" + hashMethod + "|" + new String(Base64.encodeBase64(digest)) + "}";
String hash = "{" + hashMethod + "|" + new String(Base64.encodeBase64(digest)) +
"|" + new String(Base64.encodeBase64(salt)) + "}";
return hash;
}
......@@ -33,6 +51,9 @@ public class PasswordUtil {
if (hashMethod == null)
return Boolean.FALSE;
/*
* SSHA is the ApacheDS Method. Password hash is fixed length, salt is appended
*/
if (hashMethod.equals("SSHA")) {
String hashPasswordBlank = getPassword(hashPassword);
byte[] pwAndSalt = Base64.decodeBase64(hashPasswordBlank);
......@@ -61,21 +82,48 @@ public class PasswordUtil {
return Boolean.FALSE;
}
}
/*
* Own method, salt is appended base64 encoded after a pipe sign
*/
else {
String comparePassword;
try {
comparePassword = generatePassword(hashMethod, plainPassword);
String saltString = getSalt(hashPassword);
String hashPasswordBlank = getPassword(hashPassword);
byte[] pwBytes = plainPassword.getBytes(("UTF-8"));
byte[] salt = Base64.decodeBase64(saltString);
byte[] bytes = new byte[pwBytes.length + salt.length];
System.arraycopy(pwBytes, 0, bytes, 0, pwBytes.length);
System.arraycopy(salt, 0, bytes, pwBytes.length, salt.length);
MessageDigest md = MessageDigest.getInstance(hashMethod);
md.update(bytes);
byte[] digest = md.digest();
byte[] hashPasswordBytes = Base64.decodeBase64(hashPasswordBlank);
return Arrays.equals(hashPasswordBytes, digest);
} catch (NoSuchAlgorithmException | UnsupportedEncodingException e) {
logger.warn("No Algo found", e);
return Boolean.FALSE;
}
return comparePassword.equals(hashPassword);
}
}
private String getSalt(String hashPassword) {
if (hashPassword.matches("^\\{(.+)\\|(.+)\\|(.+)\\}$")) {
return hashPassword.replaceAll("^\\{(.+)\\|(.+)\\|(.+)\\}$", "$3");
}
else if (hashPassword.matches("^\\{(.+)\\}(.+)$")) {
return hashPassword.replaceAll("^\\{(.+)\\}(.+)$", "$2");
}
else
return null;
}
private String getPassword(String hashPassword) {
if (hashPassword.matches("^\\{(.+)\\|(.+)\\}$")) {
return hashPassword.replaceAll("^\\{(.+)\\|(.+)\\}$", "$2");
if (hashPassword.matches("^\\{(.+)\\|(.+)\\|(.+)\\}$")) {
return hashPassword.replaceAll("^\\{(.+)\\|(.+)\\|(.+)\\}$", "$2");
}
else if (hashPassword.matches("^\\{(.+)\\}(.+)$")) {
return hashPassword.replaceAll("^\\{(.+)\\}(.+)$", "$2");
......@@ -85,8 +133,8 @@ public class PasswordUtil {
}
private String getHashMethod(String hashPassword) {
if (hashPassword.matches("^\\{(.+)\\|(.+)\\}$")) {
return hashPassword.replaceAll("^\\{(.+)\\|(.+)\\}$", "$1");
if (hashPassword.matches("^\\{(.+)\\|(.+)\\|(.+)\\}$")) {
return hashPassword.replaceAll("^\\{(.+)\\|(.+)\\|(.+)\\}$", "$1");
}
else if (hashPassword.matches("^\\{(.+)\\}(.+)$")) {
return hashPassword.replaceAll("^\\{(.+)\\}(.+)$", "$1");
......@@ -94,4 +142,10 @@ public class PasswordUtil {
else
return null;
}
private byte[] generateSalt() {
byte[] salt = new byte[SALT_LENGTH];
random.nextBytes(salt);
return salt;
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment