// ========================================================================
// Copyright (c) 1998-2009 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
package org.eclipse.jetty.util.security;
import java.io.Serializable;
import java.security.MessageDigest;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.TypeUtil;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
/* ------------------------------------------------------------ */
/**
* Credentials. The Credential class represents an abstract mechanism for
* checking authentication credentials. A credential instance either represents
* a secret, or some data that could only be derived from knowing the secret.
* <p>
* Often a Credential is related to a Password via a one way algorithm, so while
* a Password itself is a Credential, a UnixCrypt or MD5 digest of a a password
* is only a credential that can be checked against the password.
* <p>
* This class includes an implementation for unix Crypt an MD5 digest.
*
* @see Password
*
*/
public abstract class Credential implements Serializable
{
private static final Logger LOG = Log.getLogger(Credential.class);
private static final long serialVersionUID = -7760551052768181572L;
/* ------------------------------------------------------------ */
/**
* Check a credential
*
* @param credentials The credential to check against. This may either be
* another Credential object, a Password object or a String
* which is interpreted by this credential.
* @return True if the credentials indicated that the shared secret is known
* to both this Credential and the passed credential.
*/
public abstract boolean check(Object credentials);
/* ------------------------------------------------------------ */
/**
* Get a credential from a String. If the credential String starts with a
* known Credential type (eg "CRYPT:" or "MD5:" ) then a Credential of that
* type is returned. Else the credential is assumed to be a Password.
*
* @param credential String representation of the credential
* @return A Credential or Password instance.
*/
public static Credential getCredential(String credential)
{
if (credential.startsWith(Crypt.__TYPE)) return new Crypt(credential);
if (credential.startsWith(MD5.__TYPE)) return new MD5(credential);
return new Password(credential);
}
/* ------------------------------------------------------------ */
/**
* Unix Crypt Credentials
*/
public static class Crypt extends Credential
{
private static final long serialVersionUID = -2027792997664744210L;
public static final String __TYPE = "CRYPT:";
private final String _cooked;
Crypt(String cooked)
{
_cooked = cooked.startsWith(Crypt.__TYPE) ? cooked.substring(__TYPE.length()) : cooked;
}
@Override
public boolean check(Object credentials)
{
if (credentials instanceof char[])
credentials=new String((char[])credentials);
if (!(credentials instanceof String) && !(credentials instanceof Password))
LOG.warn("Can't check " + credentials.getClass() + " against CRYPT");
String passwd = credentials.toString();
return _cooked.equals(UnixCrypt.crypt(passwd, _cooked));
}
public static String crypt(String user, String pw)
{
return "CRYPT:" + UnixCrypt.crypt(pw, user);
}
}
/* ------------------------------------------------------------ */
/**
* MD5 Credentials
*/
public static class MD5 extends Credential
{
private static final long serialVersionUID = 5533846540822684240L;
public static final String __TYPE = "MD5:";
public static final Object __md5Lock = new Object();
private static MessageDigest __md;
private final byte[] _digest;
/* ------------------------------------------------------------ */
MD5(String digest)
{
digest = digest.startsWith(__TYPE) ? digest.substring(__TYPE.length()) : digest;
_digest = TypeUtil.parseBytes(digest, 16);
}
/* ------------------------------------------------------------ */
public byte[] getDigest()
{
return _digest;
}
/* ------------------------------------------------------------ */
@Override
public boolean check(Object credentials)
{
try
{
byte[] digest = null;
if (credentials instanceof char[])
credentials=new String((char[])credentials);
if (credentials instanceof Password || credentials instanceof String)
{
synchronized (__md5Lock)
{
if (__md == null) __md = MessageDigest.getInstance("MD5");
__md.reset();
__md.update(credentials.toString().getBytes(StringUtil.__ISO_8859_1));
digest = __md.digest();
}
if (digest == null || digest.length != _digest.length) return false;
for (int i = 0; i < digest.length; i++)
if (digest[i] != _digest[i]) return false;
return true;
}
else if (credentials instanceof MD5)
{
MD5 md5 = (MD5) credentials;
if (_digest.length != md5._digest.length) return false;
for (int i = 0; i < _digest.length; i++)
if (_digest[i] != md5._digest[i]) return false;
return true;
}
else if (credentials instanceof Credential)
{
// Allow credential to attempt check - i.e. this'll work
// for DigestAuthModule$Digest credentials
return ((Credential) credentials).check(this);
}
else
{
LOG.warn("Can't check " + credentials.getClass() + " against MD5");
return false;
}
}
catch (Exception e)
{
LOG.warn(e);
return false;
}
}
/* ------------------------------------------------------------ */
public static String digest(String password)
{
try
{
byte[] digest;
synchronized (__md5Lock)
{
if (__md == null)
{
try
{
__md = MessageDigest.getInstance("MD5");
}
catch (Exception e)
{
LOG.warn(e);
return null;
}
}
__md.reset();
__md.update(password.getBytes(StringUtil.__ISO_8859_1));
digest = __md.digest();
}
return __TYPE + TypeUtil.toString(digest, 16);
}
catch (Exception e)
{
LOG.warn(e);
return null;
}
}
}
}