external-software/github_OpenIdentityPlatform_OpenDJ.git

			@@ -21,7 +21,7 @@
			* CDDL HEADER END
			*
			*
			* Copyright 2014 ForgeRock AS.
			* Copyright 2014-2015 ForgeRock AS.
			* Portions Copyright Emidio Stani & Andrea Stani
			*/
			package org.opends.server.extensions;
			@@ -65,14 +65,9 @@
			private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();

			/** The fully-qualified name of this class. */
			private static final String CLASS_NAME =
			"org.opends.server.extensions.PKCS5S2PasswordStorageScheme";
			private static final String CLASS_NAME = "org.opends.server.extensions.PKCS5S2PasswordStorageScheme";


			/**
			* The number of bytes of random data to use as the salt when generating the
			* hashes.
			*/
			/** The number of bytes of random data to use as the salt when generating the hashes. */
			private static final int NUM_SALT_BYTES = 16;

			/** The number of bytes the SHA-1 algorithm produces. */
			@@ -81,12 +76,6 @@
			/** Atlassian hardcoded the number of iterations to 10000. */
			private static final int iterations = 10000;

			/** The factory used to generate the PKCS5S2 hashes. */
			private SecretKeyFactory factory;

			/** The lock used to provide thread-safe access to the message digest. */
			private final Object factoryLock = new Object();

			/** The secure random number generator to use to generate the salt values. */
			private SecureRandom random;

			@@ -102,14 +91,14 @@

			/** {@inheritDoc} */
			@Override
			public void initializePasswordStorageScheme(
			PKCS5S2PasswordStorageSchemeCfg configuration)
			public void initializePasswordStorageScheme(PKCS5S2PasswordStorageSchemeCfg configuration)
			throws InitializationException
			{
			try
			{
			random = SecureRandom.getInstance(SECURE_PRNG_SHA1);
			factory = SecretKeyFactory.getInstance(MESSAGE_DIGEST_ALGORITHM_PBKDF2);
			// Just try to verify if the algorithm is supported
			SecretKeyFactory.getInstance(MESSAGE_DIGEST_ALGORITHM_PBKDF2);
			}
			catch (NoSuchAlgorithmException e)
			{
			@@ -130,7 +119,7 @@
			throws DirectoryException
			{
			byte[] saltBytes = new byte[NUM_SALT_BYTES];
			byte[] digestBytes = encodeWithRandomSalt(plaintext, saltBytes);
			byte[] digestBytes = encodeWithRandomSalt(plaintext, saltBytes,random);
			byte[] hashPlusSalt = concatenateSaltPlusHash(saltBytes, digestBytes);

			return ByteString.valueOf(Base64.encode(hashPlusSalt));
			@@ -141,14 +130,12 @@
			public ByteString encodePasswordWithScheme(ByteSequence plaintext)
			throws DirectoryException
			{
			return ByteString.valueOf('{' + STORAGE_SCHEME_NAME_PKCS5S2 + '}'
			+ encodePassword(plaintext));
			return ByteString.valueOf('{' + STORAGE_SCHEME_NAME_PKCS5S2 + '}' + encodePassword(plaintext));
			}

			/** {@inheritDoc} */
			@Override
			public boolean passwordMatches(ByteSequence plaintextPassword,
			ByteSequence storedPassword)
			public boolean passwordMatches(ByteSequence plaintextPassword, ByteSequence storedPassword)
			{
			// Base64-decode the value and take the first 16 bytes as the salt.
			try
			@@ -158,8 +145,7 @@

			if (decodedBytes.length != NUM_SALT_BYTES + SHA1_LENGTH)
			{
			logger.error(ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
			storedPassword.toString()));
			logger.error(ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(storedPassword.toString()));
			return false;
			}

			@@ -173,8 +159,7 @@
			catch (Exception e)
			{
			logger.traceException(e);
			logger.error(ERR_PWSCHEME_CANNOT_BASE64_DECODE_STORED_PASSWORD.get(
			storedPassword.toString(), String.valueOf(e)));
			logger.error(ERR_PWSCHEME_CANNOT_BASE64_DECODE_STORED_PASSWORD.get(storedPassword.toString(), String.valueOf(e)));
			return false;
			}
			}
			@@ -199,17 +184,15 @@
			throws DirectoryException
			{
			byte[] saltBytes = new byte[NUM_SALT_BYTES];
			byte[] digestBytes = encodeWithRandomSalt(plaintext, saltBytes);
			byte[] digestBytes = encodeWithRandomSalt(plaintext, saltBytes,random);
			// Encode and return the value.
			return ByteString.valueOf(AUTH_PASSWORD_SCHEME_NAME_PKCS5S2 + '$'
			+ iterations + ':' + Base64.encode(saltBytes) + '$'
			+ Base64.encode(digestBytes));
			return ByteString.valueOf(AUTH_PASSWORD_SCHEME_NAME_PKCS5S2 + '$' + iterations
			+ ':' + Base64.encode(saltBytes) + '$' + Base64.encode(digestBytes));
			}

			/** {@inheritDoc} */
			@Override
			public boolean authPasswordMatches(ByteSequence plaintextPassword,
			String authInfo, String authValue)
			public boolean authPasswordMatches(ByteSequence plaintextPassword, String authInfo, String authValue)
			{
			try
			{
			@@ -242,19 +225,16 @@
			public ByteString getPlaintextValue(ByteSequence storedPassword)
			throws DirectoryException
			{
			LocalizableMessage message =
			ERR_PWSCHEME_NOT_REVERSIBLE.get(STORAGE_SCHEME_NAME_PKCS5S2);
			LocalizableMessage message = ERR_PWSCHEME_NOT_REVERSIBLE.get(STORAGE_SCHEME_NAME_PKCS5S2);
			throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION, message);
			}

			/** {@inheritDoc} */
			@Override
			public ByteString getAuthPasswordPlaintextValue(String authInfo,
			String authValue)
			public ByteString getAuthPasswordPlaintextValue(String authInfo, String authValue)
			throws DirectoryException
			{
			LocalizableMessage message =
			ERR_PWSCHEME_NOT_REVERSIBLE.get(AUTH_PASSWORD_SCHEME_NAME_PKCS5S2);
			LocalizableMessage message = ERR_PWSCHEME_NOT_REVERSIBLE.get(AUTH_PASSWORD_SCHEME_NAME_PKCS5S2);
			throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION, message);
			}

			@@ -269,13 +249,11 @@

			/**
			* Generates an encoded password string from the given clear-text password.
			* This method is primarily intended for use when it is necessary to generate
			* a password with the server offline (e.g., when setting the initial root
			* user password).
			* This method is primarily intended for use when it is necessary to generate a password with the server
			* offline (e.g., when setting the initial root user password).
			*
			* @param passwordBytes The bytes that make up the clear-text password.
			* @return The encoded password string, including the scheme name in curly
			* braces.
			* @return The encoded password string, including the scheme name in curly braces.
			* @throws DirectoryException If a problem occurs during processing.
			*/
			public static String encodeOffline(byte[] passwordBytes)
			@@ -285,8 +263,7 @@
			byte[] digestBytes = encodeWithRandomSalt(ByteString.wrap(passwordBytes), saltBytes);
			byte[] hashPlusSalt = concatenateSaltPlusHash(saltBytes, digestBytes);

			return '{' + STORAGE_SCHEME_NAME_PKCS5S2 + '}' +
			Base64.encode(hashPlusSalt);
			return '{' + STORAGE_SCHEME_NAME_PKCS5S2 + '}' + Base64.encode(hashPlusSalt);
			}

			private static byte[] encodeWithRandomSalt(ByteString plaintext, byte[] saltBytes)
			@@ -295,8 +272,7 @@
			try
			{
			final SecureRandom random = SecureRandom.getInstance(SECURE_PRNG_SHA1);
			final SecretKeyFactory factory = SecretKeyFactory.getInstance(MESSAGE_DIGEST_ALGORITHM_PBKDF2);
			return encodeWithRandomSalt(plaintext, saltBytes, random, factory);
			return encodeWithRandomSalt(plaintext, saltBytes, random);
			}
			catch (DirectoryException e)
			{
			@@ -308,14 +284,14 @@
			}
			}

			private static byte[] encodeWithSalt(ByteSequence plaintext, byte[] saltBytes,
			int iterations, final SecretKeyFactory factory) throws DirectoryException
			private static byte[] encodeWithSalt(ByteSequence plaintext, byte[] saltBytes, int iterations)
			throws DirectoryException
			{
			final char[] plaintextChars = plaintext.toString().toCharArray();
			try
			{
			KeySpec spec =
			new PBEKeySpec(plaintextChars, saltBytes, iterations, SHA1_LENGTH * 8);
			final SecretKeyFactory factory = SecretKeyFactory.getInstance(MESSAGE_DIGEST_ALGORITHM_PBKDF2);
			KeySpec spec = new PBEKeySpec(plaintextChars, saltBytes, iterations, SHA1_LENGTH * 8);
			return factory.generateSecret(spec).getEncoded();
			}
			catch (Exception e)
			@@ -324,45 +300,28 @@
			}
			finally
			{
			if (plaintextChars != null)
			{
			Arrays.fill(plaintextChars, '0');
			}
			Arrays.fill(plaintextChars, '0');
			}
			}

			private boolean encodeAndMatch(ByteSequence plaintext, byte[] saltBytes,
			byte[] digestBytes, int iterations)
			private boolean encodeAndMatch(ByteSequence plaintext, byte[] saltBytes, byte[] digestBytes, int iterations)
			{
			synchronized (factoryLock)
			{
			try
			{
			final byte[] userDigestBytes =
			encodeWithSalt(plaintext, saltBytes, iterations, factory);
			return Arrays.equals(digestBytes, userDigestBytes);
			}
			catch (Exception e)
			{
			return false;
			}
			}
			try
			{
			final byte[] userDigestBytes = encodeWithSalt(plaintext, saltBytes, iterations);
			return Arrays.equals(digestBytes, userDigestBytes);
			}
			catch (Exception e)
			{
			return false;
			}
			}

			private byte[] encodeWithRandomSalt(ByteSequence plaintext, byte[] saltBytes)
			private static byte[] encodeWithRandomSalt(ByteSequence plaintext, byte[] saltBytes, SecureRandom random)
			throws DirectoryException
			{
			synchronized (factoryLock)
			{
			return encodeWithRandomSalt(plaintext, saltBytes, random, factory);
			}
			}

			private static byte[] encodeWithRandomSalt(ByteSequence plaintext, byte[] saltBytes,
			SecureRandom random, final SecretKeyFactory factory) throws DirectoryException
			{
			random.nextBytes(saltBytes);
			return encodeWithSalt(plaintext, saltBytes, iterations, factory);
			return encodeWithSalt(plaintext, saltBytes, iterations);
			}

			private static DirectoryException cannotEncodePassword(Exception e)