svn commit: r1773066 - in /ofbiz/trunk/framework: base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java security/config/security.properties security/data/PasswordSecurityDemoData.xml

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1773066 - in /ofbiz/trunk/framework: base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java security/config/security.properties security/data/PasswordSecurityDemoData.xml

shijh
Author: shijh
Date: Wed Dec  7 12:45:15 2016
New Revision: 1773066

URL: http://svn.apache.org/viewvc?rev=1773066&view=rev
Log:
Improved: LoginWorker HashCrypt the type of hash for one-way encryption
(OFBIZ-8537)

Committed wangjunyuan's new patch.

Thanks: wangjunyuan for the new patch to make the PBKDF2 hashed password comply with RFC 6070, the feedbacks of Jacques and Nicolas on the previous patch.

Modified:
    ofbiz/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java
    ofbiz/trunk/framework/security/config/security.properties
    ofbiz/trunk/framework/security/data/PasswordSecurityDemoData.xml

Modified: ofbiz/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java?rev=1773066&r1=1773065&r2=1773066&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java (original)
+++ ofbiz/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java Wed Dec  7 12:45:15 2016
@@ -46,15 +46,11 @@ public class HashCrypt {
     public static final String module = HashCrypt.class.getName();
     public static final String CRYPT_CHAR_SET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./";
 
-    private static final String PBKDF2_SHA1 ="pbkdf2_sha1";
-    
-    private static final String PBKDF2_SHA256 ="pbkdf2_sha256";
-    
-    private static final String PBKDF2_SHA384 ="pbkdf2_sha384";
-    
-    private static final String PBKDF2_SHA512 ="pbkdf2_sha512";
-
-    private static final int PBKDF2_ITERATIONS = UtilProperties.getPropertyAsInteger("security.properties", "password.encrypt.pbkdf2.iterations", 1000);
+    private static final String PBKDF2_SHA1 ="PBKDF2-SHA1";
+    private static final String PBKDF2_SHA256 ="PBKDF2-SHA256";
+    private static final String PBKDF2_SHA384 ="PBKDF2-SHA384";
+    private static final String PBKDF2_SHA512 ="PBKDF2-SHA512";
+    private static final int PBKDF2_ITERATIONS = UtilProperties.getPropertyAsInteger("security.properties", "password.encrypt.pbkdf2.iterations", 10000);
     
     public static MessageDigest getMessageDigest(String type) {
         try {
@@ -65,13 +61,13 @@ public class HashCrypt {
     }
 
     public static boolean comparePassword(String crypted, String defaultCrypt, String password) {
-        if (crypted.startsWith("{")) {
+     if (crypted.startsWith("{PBKDF2")) {
+            return doComparePbkdf2(crypted, password);
+     } else if (crypted.startsWith("{")) {
             // FIXME: should have been getBytes("UTF-8") originally
             return doCompareTypePrefix(crypted, defaultCrypt, password.getBytes());
         } else if (crypted.startsWith("$")) {
             return doComparePosix(crypted, defaultCrypt, password.getBytes(UtilIO.getUtf8()));
-        } else if (crypted.startsWith("pbkdf2")) {
-            return doComparePbkdf2(crypted, password);
         } else {
             // FIXME: should have been getBytes("UTF-8") originally
             return doCompareBare(crypted, defaultCrypt, password.getBytes());
@@ -194,7 +190,12 @@ public class HashCrypt {
                 default:
                     pbkdf2Type = PBKDF2_SHA1;
             }
-            return pbkdf2Type + "$" + PBKDF2_ITERATIONS + "$" + salt + "$" + new String(hash);
+            StringBuilder sb = new StringBuilder();
+            sb.append("{").append(pbkdf2Type).append("}");
+            sb.append(PBKDF2_ITERATIONS).append("$");
+            sb.append(org.apache.ofbiz.base.util.Base64.base64Encode(salt)).append("$");
+            sb.append(new String(hash)).toString();
+            return sb.toString();
         } catch (InvalidKeySpecException e) {
             throw new GeneralRuntimeException("Error while creating SecretKey", e);
         } catch (NoSuchAlgorithmException e) {
@@ -202,24 +203,24 @@ public class HashCrypt {
         }
     }
     
-    public static boolean doComparePbkdf2(String storedPassword, String originalPassword){
+    public static boolean doComparePbkdf2(String crypted, String password){
         try {
-            String[] parts = storedPassword.split("\\$");
-            String hashHead = parts[0];
-            int iterations = Integer.parseInt(parts[1]);
-            byte[] salt = parts[2].getBytes();
-            byte[] hash = Base64.decodeBase64(parts[3].getBytes());
+         int typeEnd = crypted.indexOf("}");
+            String hashType = crypted.substring(1, typeEnd);
+            String[] parts = crypted.split("\\$");
+            int iterations = Integer.parseInt(parts[0].substring(typeEnd+1));
+            byte[] salt = org.apache.ofbiz.base.util.Base64.base64Decode(parts[1]).getBytes();
+            byte[] hash = Base64.decodeBase64(parts[2].getBytes());
             
-            PBEKeySpec spec = new PBEKeySpec(originalPassword.toCharArray(), salt, iterations, hash.length * 8);
-            String hashType = null;
-            switch (hashHead.substring(hashHead.indexOf("_")+4)) {
-                case "256":
+            PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterations, hash.length * 8);
+            switch (hashType.substring(hashType.indexOf("-")+1)) {
+                case "SHA256":
                     hashType = "PBKDF2WithHmacSHA256";
                     break;
-                case "384":
+                case "SHA384":
                     hashType = "PBKDF2WithHmacSHA384";
                     break;
-                case "512":
+                case "SHA512":
                     hashType = "PBKDF2WithHmacSHA512";
                     break;
                 default:  

Modified: ofbiz/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=1773066&r1=1773065&r2=1773066&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Wed Dec  7 12:45:15 2016
@@ -87,7 +87,7 @@ password.encrypt.hash.type=SHA
 
 # -- if the type of hash to use for one-way encryption is PBKDF2WithHmacSHA1 or PBKDF2WithHmacSHA256 or PBKDF2WithHmacSHA384 or PBKDF2WithHmacSHA512
 # -- the type of hash to use for one-way encryption needs iteration
-password.encrypt.pbkdf2.iterations=1000
+password.encrypt.pbkdf2.iterations=10000
 
 # -- this is helpful to recover old accounts or to be able to login at all sometimes --
 # -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption --

Modified: ofbiz/trunk/framework/security/data/PasswordSecurityDemoData.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/data/PasswordSecurityDemoData.xml?rev=1773066&r1=1773065&r2=1773066&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/data/PasswordSecurityDemoData.xml (original)
+++ ofbiz/trunk/framework/security/data/PasswordSecurityDemoData.xml Wed Dec  7 12:45:15 2016
@@ -21,6 +21,15 @@ under the License.
 <entity-engine-xml>
     <!-- from the securityext component: SecurityExtData.xml -->
     <UserLogin userLoginId="admin" currentPassword="{SHA}47b56994cbc2b6d10aa1be30f70165adb305a41a" passwordHint=""/>
+    <!-- PBKDF2-SHA1
+     <UserLogin userLoginId="flexadmin" currentPassword="{PBKDF2-SHA1}10000$W0JAMTY4ZTNlZjA=$HkbaHQBTdUbfDuL3tJ1eeyqouQ+66qqIj8Axx9vbHPQ=" passwordHint=""/>
+     PBKDF2-SHA256
+     <UserLogin userLoginId="flexadmin" currentPassword="{PBKDF2-SHA256}10000$W0JAMTRjMzI4YmE=$vWXmPPjyVlvPjN/7v7heWXRPW5ZBWEQTeYv/vxDT5L8=" passwordHint=""/>
+     PBKDF2-SHA384
+     <UserLogin userLoginId="flexadmin" currentPassword="{PBKDF2-SHA384}10000$W0JANWVhMDNjYzE=$H+ouAKild4PCvzFaBxZDbsH2kU1yGJFoCofklWa7YZE=" passwordHint=""/>
+     PBKDF2-SHA512
+     <UserLogin userLoginId="flexadmin" currentPassword="{PBKDF2-SHA512}10000$W0JANTAwZGIwZDY=$M1ZJMdOEjE8bo5E7s5qfza6SZ3dVKwIiwZ8LyKL+2ns=" passwordHint=""/>
+    -->
     <UserLogin userLoginId="flexadmin" currentPassword="{SHA}47b56994cbc2b6d10aa1be30f70165adb305a41a" passwordHint=""/>
     <UserLogin userLoginId="demoadmin" currentPassword="{SHA}47b56994cbc2b6d10aa1be30f70165adb305a41a" passwordHint=""/>
     <UserLogin userLoginId="ltdadmin" currentPassword="{SHA}47b56994cbc2b6d10aa1be30f70165adb305a41a" passwordHint=""/>