svn commit: r1334170 - in /ofbiz/trunk: applications/securityext/src/org/ofbiz/securityext/login/ framework/base/src/org/ofbiz/base/crypto/ framework/common/src/org/ofbiz/common/login/ specialpurpose/ldap/src/org/ofbiz/ldap/commons/

Author: doogie
Date: Fri May  4 20:42:26 2012
New Revision: 1334170

URL: http://svn.apache.org/viewvc?rev=1334170&view=rev
Log:
FEATURE/DEPRECATION: Deprecate HashCrypt.cryptPassword; previously,
it would call String.getBytes(), without specifying an encoding.  That
meant that the platform default encoding would be used, which might
change between different installs(if someone changed an environment
variable, for instance).  Now, there are explicit variants to be called.

When creating a new value, use cryptValueUTF8.  If, for some reason,
calling code is doing it's own comparison, it must continue to use
cryptValueBytes(password.getBytes()).

Modified:
    ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
    ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java
    ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java
    ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LdapAuthenticationServices.java
    ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
    ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/commons/AbstractOFBizAuthenticationHandler.java

Modified: ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java?rev=1334170&r1=1334169&r2=1334170&view=diff
==============================================================================
--- ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java Fri May  4 20:42:26 2012
@@ -212,7 +212,7 @@ public class LoginEvents {
             if (useEncryption) {
                 // password encrypted, can't send, generate new password and email to user
                 passwordToSend = RandomStringUtils.randomAlphanumeric(Integer.parseInt(UtilProperties.getPropertyValue("security", "password.length.min", "5")));
-                supposedUserLogin.set("currentPassword", HashCrypt.cryptPassword(LoginServices.getHashType(), null, passwordToSend));
+                supposedUserLogin.set("currentPassword", HashCrypt.cryptUTF8(LoginServices.getHashType(), null, passwordToSend));
                 supposedUserLogin.set("passwordHint", "Auto-Generated Password");
                 if ("true".equals(UtilProperties.getPropertyValue("security.properties", "password.email_password.require_password_change"))){
                     supposedUserLogin.set("requirePasswordChange", "Y");

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java?rev=1334170&r1=1334169&r2=1334170&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java Fri May  4 20:42:26 2012
@@ -100,7 +100,27 @@ public class HashCrypt {
         return hashed.equals(new String(digestChars));
     }
 
+    /*
+     * @deprecated use cryptBytes(hashType, salt, password); eventually, use
+     * cryptUTF8(hashType, salt, password) after all existing installs are
+     * salt-based.  If the call-site of cryptPassword is just used to create a *new*
+     * value, then you can switch to cryptUTF8 directly.
+     */
+    @Deprecated
     public static String cryptPassword(String hashType, String salt, String password) {
+        // FIXME: should have been getBytes("UTF-8") originally
+        return password != null ? cryptBytes(hashType, salt, password.getBytes()) : null;
+    }
+
+    public static String cryptUTF8(String hashType, String salt, String value) {
+        return value != null ? cryptBytes(hashType, salt, value.getBytes(UTF8)) : null;
+    }
+
+    public static String cryptValue(String hashType, String salt, String value) {
+        return value != null ? cryptBytes(hashType, salt, value.getBytes()) : null;
+    }
+
+    public static String cryptBytes(String hashType, String salt, byte[] bytes) {
         if (hashType == null) {
             hashType = "SHA";
         }
@@ -109,7 +129,7 @@ public class HashCrypt {
         }
         StringBuilder sb = new StringBuilder();
         sb.append("$").append(hashType).append("$").append(salt).append("$");
-        sb.append(getCryptedBytes(hashType, salt, password.getBytes(UTF8)));
+        sb.append(getCryptedBytes(hashType, salt, bytes));
         return sb.toString();
     }
 

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java?rev=1334170&r1=1334169&r2=1334170&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java Fri May  4 20:42:26 2012
@@ -21,7 +21,7 @@ package org.ofbiz.base.crypto;
 public class Main {
     public static void main(String[] args) throws Exception {
         if (args[0].equals("-crypt")) {
-            System.out.println(HashCrypt.cryptPassword(args[1], null, args[2]));
+            System.out.println(HashCrypt.cryptUTF8(args[1], null, args[2]));
         } else if (args[0].equals("-digest")) {
             @SuppressWarnings("deprecation")
             String digest = HashCrypt.getDigestHash(args[1]);

Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LdapAuthenticationServices.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LdapAuthenticationServices.java?rev=1334170&r1=1334169&r2=1334170&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LdapAuthenticationServices.java (original)
+++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LdapAuthenticationServices.java Fri May  4 20:42:26 2012
@@ -103,7 +103,7 @@ public class LdapAuthenticationServices
             }
             if (!samePassword) {
                 Debug.logVerbose("Starting password synchronization", module);
-                userLogin.set("currentPassword", useEncryption ? HashCrypt.cryptPassword(LoginServices.getHashType(), null, password) : password, false);
+                userLogin.set("currentPassword", useEncryption ? HashCrypt.cryptUTF8(LoginServices.getHashType(), null, password) : password, false);
                 Transaction parentTx = null;
                 boolean beganTransaction = false;
                 try {

Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1334170&r1=1334169&r2=1334170&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java (original)
+++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java Fri May  4 20:42:26 2012
@@ -456,7 +456,7 @@ public class LoginServices {
         // save this password in history
         GenericValue userLoginPwdHistToCreate = delegator.makeValue("UserLoginPasswordHistory", UtilMisc.toMap("userLoginId", userLoginId,"fromDate", nowTimestamp));
         boolean useEncryption = "true".equals(UtilProperties.getPropertyValue("security.properties", "password.encrypt"));
-        userLoginPwdHistToCreate.set("currentPassword", useEncryption ? HashCrypt.cryptPassword(getHashType(), null, currentPassword) : currentPassword);
+        userLoginPwdHistToCreate.set("currentPassword", useEncryption ? HashCrypt.cryptUTF8(getHashType(), null, currentPassword) : currentPassword);
         userLoginPwdHistToCreate.create();
     }
 
@@ -520,7 +520,7 @@ public class LoginServices {
         userLoginToCreate.set("passwordHint", passwordHint);
         userLoginToCreate.set("enabled", enabled);
         userLoginToCreate.set("requirePasswordChange", requirePasswordChange);
-        userLoginToCreate.set("currentPassword", useEncryption ? HashCrypt.cryptPassword(getHashType(), null, currentPassword) : currentPassword);
+        userLoginToCreate.set("currentPassword", useEncryption ? HashCrypt.cryptUTF8(getHashType(), null, currentPassword) : currentPassword);
         try {
             userLoginToCreate.set("partyId", partyId);
         } catch (Exception e) {
@@ -672,7 +672,7 @@ public class LoginServices {
                 return ServiceUtil.returnError(errMsg);
             }
         } else {
-            userLoginToUpdate.set("currentPassword", useEncryption ? HashCrypt.cryptPassword(getHashType(), null, newPassword) : newPassword, false);
+            userLoginToUpdate.set("currentPassword", useEncryption ? HashCrypt.cryptUTF8(getHashType(), null, newPassword) : newPassword, false);
             userLoginToUpdate.set("passwordHint", passwordHint, false);
             userLoginToUpdate.set("requirePasswordChange", "N");
 
@@ -925,7 +925,8 @@ public class LoginServices {
             Delegator delegator = userLogin.getDelegator();
             String newPasswordHash = newPassword;
             if (useEncryption) {
-                newPasswordHash = HashCrypt.cryptPassword(getHashType(), null, newPassword);
+                // FIXME: switching to salt-based hashing breaks this history lookup below
+                newPasswordHash = HashCrypt.cryptUTF8(getHashType(), null, newPassword);
             }
             try {
                 List<GenericValue> pwdHistList = delegator.findByAnd("UserLoginPasswordHistory", UtilMisc.toMap("userLoginId",userLogin.getString("userLoginId"),"currentPassword",newPasswordHash));

Modified: ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/commons/AbstractOFBizAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/commons/AbstractOFBizAuthenticationHandler.java?rev=1334170&r1=1334169&r2=1334170&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/commons/AbstractOFBizAuthenticationHandler.java (original)
+++ ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/commons/AbstractOFBizAuthenticationHandler.java Fri May  4 20:42:26 2012
@@ -101,7 +101,7 @@ public abstract class AbstractOFBizAuthe
         userLoginToCreate.set("passwordHint", "");
         userLoginToCreate.set("enabled", "Y");
         userLoginToCreate.set("partyId", getPartyId(rootElement, result));
-        userLoginToCreate.set("currentPassword", useEncryption ? HashCrypt.cryptPassword(LoginServices.getHashType(), null, password) : password);
+        userLoginToCreate.set("currentPassword", useEncryption ? HashCrypt.cryptUTF8(LoginServices.getHashType(), null, password) : password);
 
         GenericValue userTryToLogin = delegator.findOne("UserLogin", false, "userLoginId", username);
         if (userTryToLogin == null) {
@@ -119,7 +119,7 @@ public abstract class AbstractOFBizAuthe
                 throw new GenericEntityException(e.getLocalizedMessage());
             }
         } else {
-            userTryToLogin.setString("currentPassword", useEncryption ? HashCrypt.cryptPassword(LoginServices.getHashType(), null, password) : password);
+            userTryToLogin.setString("currentPassword", useEncryption ? HashCrypt.cryptUTF8(LoginServices.getHashType(), null, password) : password);
             userTryToLogin.store();
         }