/*******************************************************************************
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*******************************************************************************/
package org.apache.ofbiz.base.crypto;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.GeneralRuntimeException;
import org.apache.ofbiz.base.util.StringUtil;
import org.apache.ofbiz.base.util.UtilIO;
import org.apache.ofbiz.base.util.UtilProperties;
import org.apache.ofbiz.base.util.UtilValidate;
/**
* Utility class for doing SHA-1/MD5/PBKDF2 One-Way Hash Encryption
*
*/
public class HashCrypt {
public static final String module = HashCrypt.class.getName();
public static final String CRYPT_CHAR_SET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./";
private static final String PBKDF2_SHA1 ="PBKDF2-SHA1";
private static final String PBKDF2_SHA256 ="PBKDF2-SHA256";
private static final String PBKDF2_SHA384 ="PBKDF2-SHA384";
private static final String PBKDF2_SHA512 ="PBKDF2-SHA512";
private static final int PBKDF2_ITERATIONS = UtilProperties.getPropertyAsInteger("security.properties", "password.encrypt.pbkdf2.iterations", 10000);
public static MessageDigest getMessageDigest(String type) {
try {
return MessageDigest.getInstance(type);
} catch (NoSuchAlgorithmException e) {
throw new GeneralRuntimeException("Could not load digestor(" + type + ")", e);
}
}
public static boolean comparePassword(String crypted, String defaultCrypt, String password) {
if (crypted.startsWith("{PBKDF2")) {
return doComparePbkdf2(crypted, password);
} else if (crypted.startsWith("{")) {
// FIXME: should have been getBytes("UTF-8") originally
return doCompareTypePrefix(crypted, defaultCrypt, password.getBytes());
} else if (crypted.startsWith("$")) {
return doComparePosix(crypted, defaultCrypt, password.getBytes(UtilIO.getUtf8()));
} else {
// FIXME: should have been getBytes("UTF-8") originally
return doCompareBare(crypted, defaultCrypt, password.getBytes());
}
}
private static boolean doCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) {
int typeEnd = crypted.indexOf("}");
String hashType = crypted.substring(1, typeEnd);
String hashed = crypted.substring(typeEnd + 1);
MessageDigest messagedigest = getMessageDigest(hashType);
messagedigest.update(bytes);
byte[] digestBytes = messagedigest.digest();
char[] digestChars = Hex.encodeHex(digestBytes);
String checkCrypted = new String(digestChars);
if (hashed.equals(checkCrypted)) {
return true;
}
// This next block should be removed when all {prefix}oldFunnyHex are fixed.
if (hashed.equals(oldFunnyHex(digestBytes))) {
Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted);
return true;
}
return false;
}
private static boolean doComparePosix(String crypted, String defaultCrypt, byte[] bytes) {
int typeEnd = crypted.indexOf("$", 1);
int saltEnd = crypted.indexOf("$", typeEnd + 1);
String hashType = crypted.substring(1, typeEnd);
String salt = crypted.substring(typeEnd + 1, saltEnd);
String hashed = crypted.substring(saltEnd + 1);
return hashed.equals(getCryptedBytes(hashType, salt, bytes));
}
private static boolean doCompareBare(String crypted, String defaultCrypt, byte[] bytes) {
String hashType = defaultCrypt;
String hashed = crypted;
MessageDigest messagedigest = getMessageDigest(hashType);
messagedigest.update(bytes);
return hashed.equals(oldFunnyHex(messagedigest.digest()));
}
/*
* @deprecated use cryptBytes(hashType, salt, password); eventually, use
* cryptUTF8(hashType, salt, password) after all existing installs are
* salt-based. If the call-site of cryptPassword is just used to create a *new*
* value, then you can switch to cryptUTF8 directly.
*/
@Deprecated
public static String cryptPassword(String hashType, String salt, String password) {
if (hashType.startsWith("PBKDF2")) {
return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null;
}
// FIXME: should have been getBytes("UTF-8") originally
return password != null ? cryptBytes(hashType, salt, password.getBytes()) : null;
}
public static String cryptUTF8(String hashType, String salt, String value) {
if (hashType.startsWith("PBKDF2")) {
return value != null ? pbkdf2HashCrypt(hashType, salt, value) : null;
}
return value != null ? cryptBytes(hashType, salt, value.getBytes(UtilIO.getUtf8())) : null;
}
public static String cryptValue(String hashType, String salt, String value) {
if (hashType.startsWith("PBKDF2")) {
return value != null ? pbkdf2HashCrypt(hashType, salt, value) : null;
}
return value != null ? cryptBytes(hashType, salt, value.getBytes()) : null;
}
public static String cryptBytes(String hashType, String salt, byte[] bytes) {
if (hashType == null) {
hashType = "SHA";
}
if (salt == null) {
salt = RandomStringUtils.random(new SecureRandom().nextInt(15) + 1, CRYPT_CHAR_SET);
}
StringBuilder sb = new StringBuilder();
sb.append("$").append(hashType).append("$").append(salt).append("$");
sb.append(getCryptedBytes(hashType, salt, bytes));
return sb.toString();
}
private static String getCryptedBytes(String hashType, String salt, byte[] bytes) {
try {
MessageDigest messagedigest = MessageDigest.getInstance(hashType);
messagedigest.update(salt.getBytes(UtilIO.getUtf8()));
messagedigest.update(bytes);
return Base64.encodeBase64URLSafeString(messagedigest.digest()).replace('+', '.');
} catch (NoSuchAlgorithmException e) {
throw new GeneralRuntimeException("Error while comparing password", e);
}
}
public static String pbkdf2HashCrypt(String hashType, String salt, String value){
char[] chars = value.toCharArray();
if (UtilValidate.isEmpty(salt)) {
salt = getSalt();
}
try {
PBEKeySpec spec = new PBEKeySpec(chars, salt.getBytes(UtilIO.getUtf8()), PBKDF2_ITERATIONS, 64 * 4);
SecretKeyFactory skf = SecretKeyFactory.getInstance(hashType);
byte[] hash = Base64.encodeBase64(skf.generateSecret(spec).getEncoded());
String pbkdf2Type = null;
switch (hashType) {
case "PBKDF2WithHmacSHA1":
pbkdf2Type = PBKDF2_SHA1;
break;
case "PBKDF2WithHmacSHA256":
pbkdf2Type = PBKDF2_SHA256;
break;
case "PBKDF2WithHmacSHA384":
pbkdf2Type = PBKDF2_SHA384;
break;
case "PBKDF2WithHmacSHA512":
pbkdf2Type = PBKDF2_SHA512;
break;
default:
pbkdf2Type = PBKDF2_SHA1;
}
StringBuilder sb = new StringBuilder();
sb.append("{").append(pbkdf2Type).append("}");
sb.append(PBKDF2_ITERATIONS).append("$");
sb.append(org.apache.ofbiz.base.util.Base64.base64Encode(salt)).append("$");
sb.append(new String(hash)).toString();
return sb.toString();
} catch (InvalidKeySpecException e) {
throw new GeneralRuntimeException("Error while creating SecretKey", e);
} catch (NoSuchAlgorithmException e) {
throw new GeneralRuntimeException("Error while computing SecretKeyFactory", e);
}
}
public static boolean doComparePbkdf2(String crypted, String password){
try {
int typeEnd = crypted.indexOf("}");
String hashType = crypted.substring(1, typeEnd);
String[] parts = crypted.split("\\$");
int iterations = Integer.parseInt(parts[0].substring(typeEnd+1));
byte[] salt = org.apache.ofbiz.base.util.Base64.base64Decode(parts[1]).getBytes();
byte[] hash = Base64.decodeBase64(parts[2].getBytes());
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterations, hash.length * 8);
switch (hashType.substring(hashType.indexOf("-")+1)) {
case "SHA256":
hashType = "PBKDF2WithHmacSHA256";
break;
case "SHA384":
hashType = "PBKDF2WithHmacSHA384";
break;
case "SHA512":
hashType = "PBKDF2WithHmacSHA512";
break;
default:
hashType = "PBKDF2WithHmacSHA1";
}
SecretKeyFactory skf = SecretKeyFactory.getInstance(hashType);
byte[] testHash = skf.generateSecret(spec).getEncoded();
int diff = hash.length ^ testHash.length;
for (int i = 0; i < hash.length && i < testHash.length; i++) {
diff |= hash[i] ^ testHash[i];
}
return diff == 0;
} catch (NoSuchAlgorithmException e) {
throw new GeneralRuntimeException("Error while computing SecretKeyFactory", e);
} catch (InvalidKeySpecException e) {
throw new GeneralRuntimeException("Error while creating SecretKey", e);
}
}
private static String getSalt() {
try {
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
byte[] salt = new byte[16];
sr.nextBytes(salt);
return salt.toString();
} catch (NoSuchAlgorithmException e) {
throw new GeneralRuntimeException("Error while creating salt", e);
}
}
/**
* @deprecated use digestHash("SHA", null, str)
*/
@Deprecated
public static String getDigestHash(String str) {
return digestHash("SHA", null, str);
}
/**
* @deprecated use digestHash(hashType, null, str))
*/
@Deprecated
public static String getDigestHash(String str, String hashType) {
return digestHash(hashType, null, str);
}
/**
* @deprecated use digestHash(hashType, code, str);
*/
@Deprecated
public static String getDigestHash(String str, String code, String hashType) {
return digestHash(hashType, code, str);
}
public static String digestHash(String hashType, String code, String str) {
if (str == null) return null;
byte[] codeBytes;
try {
if (code == null) codeBytes = str.getBytes();
else codeBytes = str.getBytes(code);
} catch (UnsupportedEncodingException e) {
throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
}
return digestHash(hashType, codeBytes);
}
public static String digestHash(String hashType, byte[] bytes) {
try {
MessageDigest messagedigest = MessageDigest.getInstance(hashType);
messagedigest.update(bytes);
byte[] digestBytes = messagedigest.digest();
char[] digestChars = Hex.encodeHex(digestBytes);
StringBuilder sb = new StringBuilder();
sb.append("{").append(hashType).append("}");
sb.append(digestChars, 0, digestChars.length);
return sb.toString();
} catch (NoSuchAlgorithmException e) {
throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
}
}
public static String digestHash64(String hashType, byte[] bytes) {
if (hashType == null) {
hashType = "SHA";
}
try {
MessageDigest messagedigest = MessageDigest.getInstance(hashType);
messagedigest.update(bytes);
byte[] digestBytes = messagedigest.digest();
StringBuilder sb = new StringBuilder();
sb.append("{").append(hashType).append("}");
sb.append(Base64.encodeBase64URLSafeString(digestBytes).replace('+', '.'));
return sb.toString();
} catch (NoSuchAlgorithmException e) {
throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
}
}
/**
* @deprecated use cryptPassword
*/
@Deprecated
public static String getHashTypeFromPrefix(String hashString) {
if (UtilValidate.isEmpty(hashString) || hashString.charAt(0) != '{') {
return null;
}
return hashString.substring(1, hashString.indexOf('}'));
}
/**
* @deprecated use cryptPassword
*/
@Deprecated
public static String removeHashTypePrefix(String hashString) {
if (UtilValidate.isEmpty(hashString) || hashString.charAt(0) != '{') {
return hashString;
}
return hashString.substring(hashString.indexOf('}') + 1);
}
/**
* @deprecated use digestHashOldFunnyHex(hashType, str)
*/
@Deprecated
public static String getDigestHashOldFunnyHexEncode(String str, String hashType) {
return digestHashOldFunnyHex(hashType, str);
}
public static String digestHashOldFunnyHex(String hashType, String str) {
if (UtilValidate.isEmpty(hashType)) hashType = "SHA";
if (str == null) return null;
try {
MessageDigest messagedigest = MessageDigest.getInstance(hashType);
byte[] strBytes = str.getBytes();
messagedigest.update(strBytes);
return oldFunnyHex(messagedigest.digest());
} catch (Exception e) {
Debug.logError(e, "Error while computing hash of type " + hashType, module);
}
return str;
}
// This next block should be removed when all {prefix}oldFunnyHex are fixed.
private static String oldFunnyHex(byte[] bytes) {
int k = 0;
char[] digestChars = new char[bytes.length * 2];
for (int l = 0; l < bytes.length; l++) {
int i1 = bytes[l];
if (i1 < 0) {
i1 = 127 + i1 * -1;
}
StringUtil.encodeInt(i1, k, digestChars);
k += 2;
}
return new String(digestChars);
}
}