/**********************************************************************************
* $URL: https://source.sakaiproject.org/svn/kernel/trunk/kernel-impl/src/main/java/org/sakaiproject/user/impl/OpenAuthnComponent.java $
* $Id: OpenAuthnComponent.java 51317 2008-08-24 04:38:02Z csev@umich.edu $
***********************************************************************************
*
* Copyright (c) 2005, 2006, 2008, 2009, 2010 Sakai Foundation
*
* Licensed under the Educational Community License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.opensource.org/licenses/ECL-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
**********************************************************************************/
package org.sakaiproject.user.impl;
import java.io.ByteArrayOutputStream;
import java.io.OutputStream;
import java.security.MessageDigest;
import java.util.Random;
import javax.mail.internet.MimeUtility;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* Service to check that a password matches and to generate encrypted passwords from plaintext.
* By default it's salted and SHA-256 digested.
* @author buckett
*
*/
public class PasswordService {
private final static Log log = LogFactory.getLog(PasswordService.class);
private Random saltSource = new Random();
/**
* Prefix for password that was converted from an MD5 one.
*/
public static final String MD5_SALT_SHA256 = "MD5-SALT-SHA256:";
/**
* Prefix for password that was converted from an MD5 one with the SAK-5922 bug.
*/
public static final String MD5TRUNC_SALT_SHA256 = "MD5TRUNC-SALT-SHA256:";
/**
* Length of salt in bytes.
*/
private int saltLength = 4;
/**
* The character that separates the salt from the hash.
* Changing this will break all existing passwords (except MD5).
*/
private String saltDelim = ":";
/**
* The default algorithm to use then setting a password and when checking a password.
* Changing this will break all existing password (except MD5).
*/
private String defaultAlgorithm = "SHA-256";
/**
* Check to see if the password matches the encrypted version.
* @param password
* @param encrypted
* @return
*/
public boolean check(String password, String encrypted) {
// Make sure we have good data.
if (password == null || encrypted == null)
return false;
int length = encrypted.length();
// This is the old way of encrypting passwords.
if ( length == 20 || length == 24 ) {
String passwordEnc = hash(password, "MD5");
if (passwordEnc != null) {
// SAK-5922 Some password are missing last 4 characters.
if (length == 20) {
passwordEnc = passwordEnc.substring(0, 20);
}
return encrypted.equals(passwordEnc);
}
}
String passwordMod = password;
String expectedHash = encrypted;
if (encrypted.startsWith(MD5_SALT_SHA256)) {
passwordMod = hash(password, "MD5");
expectedHash = encrypted.substring(MD5_SALT_SHA256.length());
}
if (encrypted.startsWith(MD5TRUNC_SALT_SHA256)) {
passwordMod = hash(password, "MD5");
if (passwordMod != null && passwordMod.length() > 20) {
passwordMod = passwordMod.substring(0, 20);
}
expectedHash = encrypted.substring(MD5TRUNC_SALT_SHA256.length());
}
int saltDelimPos = expectedHash.indexOf(saltDelim);
String shaSource = passwordMod;
if (saltDelimPos != -1) {
String salt = expectedHash.substring(0, saltDelimPos);
expectedHash = expectedHash.substring(saltDelimPos+1);
shaSource = salt + passwordMod;
}
String passwordEnc = hash(shaSource, defaultAlgorithm);
return expectedHash.equals(passwordEnc);
}
/**
* Create a new encrypted password.
* @param password The password to encrypt.
* @return The resultant string.
*/
public String encrypt(String password) {
String salt = salt(saltLength);
String source = salt + password;
String hash = hash(source, defaultAlgorithm);
return salt + saltDelim + hash;
}
/**
* Digest and Base64 encode the password.
* @param password The password to hash.
* @param algorithm The Digest Algorithm to use.
* @return The digested password or <code>null</code> if it failed.
*/
protected String hash(String password, String algorithm) {
try
{
// compute the digest using the MD5 algorithm
MessageDigest md = MessageDigest.getInstance(algorithm);
byte[] digest = md.digest(password.getBytes("UTF-8"));
// encode as base64
ByteArrayOutputStream bas = new ByteArrayOutputStream(lengthBase64(digest.length));
OutputStream encodedStream = MimeUtility.encode(bas, "base64");
encodedStream.write(digest);
// close the stream to complete the encoding
encodedStream.close();
String rv = bas.toString().trim(); // '\r\n' is appended by encode()
return rv;
}
catch (Exception e)
{
log.warn("Failed with "+ algorithm, e);
return null;
}
}
/**
* Generate a salt which is Base64 encoded.
* @param length The number of bytes to use for the source.
* @return A Base64 version of the salt. So it's longer than the source length.
*/
protected String salt(int length) {
try{
byte[] salt = new byte[length];
saltSource.nextBytes(salt);
ByteArrayOutputStream bas = new ByteArrayOutputStream(lengthBase64(length));
OutputStream saltStream;
saltStream = MimeUtility.encode(bas, "base64");
saltStream.write(salt);
saltStream.close();
String rv = bas.toString().trim(); // '\r\n' is appended by encode()
return rv;
}catch(Exception e){
log.warn("Failed to generate salt.", e);
}
return "";
}
/**
* The length needed for base64 encoding some input.
* http://en.wikipedia.org/wiki/Base64
* @param length The length in bytes of the source.
* @return The size in bytes of the output.
*/
private int lengthBase64(int length) {
return (length + 2 - ((length + 2) % 3)) * 4 / 3;
}
public void setSaltLength(int saltLength) {
this.saltLength = saltLength;
}
public void setSaltDelim(String saltDelim) {
this.saltDelim = saltDelim;
}
public void setDefaultAlgorithm(String defaultAlgorithm) {
this.defaultAlgorithm = defaultAlgorithm;
}
}