external-software/github_OpenIdentityPlatform_OpenDJ.git

Update code to log a message when the base64 decoded password is smaller th...

Ludovic Poitou

21.35.2010 9582291a9ff7961af7a4ed579a76dc3db3cae66e

 opends/src/messages/messages/extension.properties

@@ -1428,3 +1428,5 @@
MILD_ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE_577=The %s \
 attribute is not searchable and should not be included in otherwise \
 unindexed search filters
MILD_ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD_578=The password \
value %s has been base64-decoded but is too short to be valid

 opends/src/messages/messages/extension_fr.properties

@@ -529,3 +529,4 @@
INFO_GSSAPI_STOPPED_575=Le gestionnaire de m\u00e9canisme SASL GSSAPI s'est arr\u00eat\u00e9
MILD_ERR_COLLECTIVEATTRIBUTESUBENTRIES_VATTR_NOT_SEARCHABLE_576=L'attribut %s ne peut pas faire l'objet d'une recherche et ne doit pas \u00eatre inclus dans des filtres de recherche non index\u00e9s
MILD_ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE_577=L'attribut %s ne peut pas faire l'objet d'une recherche et ne doit pas \u00eatre inclus dans des filtres de recherche non index\u00e9s
MILD_ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD_578=La valeur du mot de passe %s a \u00e9t\u00e9 d\u00e9cod\u00e9 en base64, mais est trop courte pour \u00eatre valide

 opends/src/server/org/opends/server/extensions/SaltedSHA1PasswordStorageScheme.java

@@ -23,6 +23,7 @@
 *
 *
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 *      Portions Copyright 2010 ForgeRock AS.
 */
package org.opends.server.extensions;

@@ -278,6 +279,14 @@
      byte[] decodedBytes = Base64.decode(storedPassword.toString());

      saltLength = decodedBytes.length - SHA1_LENGTH;
      if (saltLength <= 0)
      {
        Message message =
          ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
          storedPassword.toString());
        ErrorLogger.logError(message);
        return false;
      }
      saltBytes = new byte[saltLength];
      System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA1_LENGTH);
      System.arraycopy(decodedBytes, SHA1_LENGTH, saltBytes, 0,

 opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java

@@ -283,6 +283,14 @@
      byte[] decodedBytes = Base64.decode(storedPassword.toString());

      saltLength = decodedBytes.length - SHA256_LENGTH;
      if (saltLength <= 0)
      {
        Message message =
          ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
          storedPassword.toString());
        ErrorLogger.logError(message);
        return false;
      }
      saltBytes = new byte[saltLength];
      System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA256_LENGTH);
      System.arraycopy(decodedBytes, SHA256_LENGTH, saltBytes, 0,

 opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java

@@ -284,6 +284,14 @@
      byte[] decodedBytes = Base64.decode(storedPassword.toString());

      saltLength = decodedBytes.length - SHA384_LENGTH;
      if (saltLength <= 0)
      {
        Message message =
          ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
          storedPassword.toString());
        ErrorLogger.logError(message);
        return false;
      }
      saltBytes = new byte[saltLength];
      System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA384_LENGTH);
      System.arraycopy(decodedBytes, SHA384_LENGTH, saltBytes, 0,

 opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java

@@ -283,6 +283,14 @@
      byte[] decodedBytes = Base64.decode(storedPassword.toString());

      saltLength = decodedBytes.length - SHA512_LENGTH;
      if (saltLength <= 0)
      {
        Message message =
          ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
          storedPassword.toString());
        ErrorLogger.logError(message);
        return false;
      }
      saltBytes = new byte[saltLength];
      System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA512_LENGTH);
      System.arraycopy(decodedBytes, SHA512_LENGTH, saltBytes, 0,

 opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageSchemeTestCase.java

@@ -99,7 +99,7 @@
    {
      new Object[] { "secret", "{SSHA256}xIar81hLva6DoMGVtk5WWfJTnBvkyAsYkj0phSdBBDW2DC1dXI79cw==" }
    };
}
  }

  @Test(dataProvider = "testSSHA256Passwords")
  public void testAuthSSHA256Passwords(

 opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageSchemeTestCase.java

@@ -23,16 +23,23 @@
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Portions Copyright 2010 ForgeRock AS.
 */
package org.opends.server.extensions;


import static org.testng.Assert.*;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;

import org.opends.server.TestCaseUtils;

import org.opends.server.admin.server.AdminTestCaseUtils;
import org.opends.server.admin.std.meta.
            SaltedSHA384PasswordStorageSchemeCfgDefn;
import org.opends.server.admin.std.server.SaltedSHA384PasswordStorageSchemeCfg;
import org.opends.server.api.PasswordStorageScheme;
import org.opends.server.types.Entry;



@@ -74,5 +81,67 @@
    scheme.initializePasswordStorageScheme(configuration);
    return scheme;
  }

  /**
   * Retrieves a set of passwords (plain and SSHA384 encrypted) that may
   * be used to test the compatibility of SSHA384 passwords.
   * The encrypted versions have been provided by external tools or
   * users
   *
   * @return  A set of couple (cleartext, encrypted) passwords that
   *          may be used to test the SSHA384 password storage scheme
   */

  @DataProvider(name = "testSSHA384Passwords")
  public Object[][] getTestSSHA384Passwords()
         throws Exception
  {
    return new Object[][]
    {
      // Note that this test password has been generated with OpenDJ
      // Ideally, they should come from other projects, programs
      new Object[] { "secret", "{SSHA384}+Cw4SXSlJ9q++MCoOan5nWEcLEAMeRo4Y+1gmcZ8JinT9fz/5QG+npm8pQv2J2skOHy+FioGcig=" }
    };
}

  @Test(dataProvider = "testSSHA384Passwords")
  public void testAuthSSHA384Passwords(
          String plaintextPassword,
          String encodedPassword) throws Exception
  {
    // Start/clear-out the memory backend
    TestCaseUtils.initializeTestBackend(true);

    boolean allowPreencodedDefault = setAllowPreencodedPasswords(true);

    try {

      Entry userEntry = TestCaseUtils.makeEntry(
       "dn: uid=testSSHA384.user,o=test",
       "objectClass: top",
       "objectClass: person",
       "objectClass: organizationalPerson",
       "objectClass: inetOrgPerson",
       "uid: testSSHA384.user",
       "givenName: TestSSHA384",
       "sn: User",
       "cn: TestSSHA384 User",
       "userPassword: " + encodedPassword);


      // Add the entry
      TestCaseUtils.addEntry(userEntry);

      assertTrue(TestCaseUtils.canBind("uid=testSSHA384.user,o=test",
                  plaintextPassword),
               "Failed to bind when pre-encoded password = \"" +
               encodedPassword + "\" and " +
               "plaintext password = \"" +
               plaintextPassword + "\"" );
    } finally {
      setAllowPreencodedPasswords(allowPreencodedDefault);
    }
  }

}


 opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageSchemeTestCase.java

@@ -100,7 +100,7 @@
    {
      new Object[] { "secret", "{SSHA512}8gRXO3lD2fGN3JIhbNJOsh31IRFKnWbDNl+cPH3HoJCkUpxZPG617TnN6Nvl2mVMSBLlzPu2eMpOhCDKoolNG6QCsYf2hppQTAVaqfx25PUJ1ngbuBiNDCpK6Xj5PYZiFwa+cpkY/Pzs77bLn3VMxmHhwa+vowfGhy5RRW+6npQ=" }
    };
}
  }

  @Test(dataProvider = "testSSHA512Passwords")
  public void testAuthSSHA512Passwords(

			@@ -1428,3 +1428,5 @@
			MILD_ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE_577=The %s \
			attribute is not searchable and should not be included in otherwise \
			unindexed search filters
			MILD_ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD_578=The password \
			value %s has been base64-decoded but is too short to be valid

			@@ -529,3 +529,4 @@
			INFO_GSSAPI_STOPPED_575=Le gestionnaire de m\u00e9canisme SASL GSSAPI s'est arr\u00eat\u00e9
			MILD_ERR_COLLECTIVEATTRIBUTESUBENTRIES_VATTR_NOT_SEARCHABLE_576=L'attribut %s ne peut pas faire l'objet d'une recherche et ne doit pas \u00eatre inclus dans des filtres de recherche non index\u00e9s
			MILD_ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE_577=L'attribut %s ne peut pas faire l'objet d'une recherche et ne doit pas \u00eatre inclus dans des filtres de recherche non index\u00e9s
			MILD_ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD_578=La valeur du mot de passe %s a \u00e9t\u00e9 d\u00e9cod\u00e9 en base64, mais est trop courte pour \u00eatre valide

			@@ -23,6 +23,7 @@
			*
			*
			* Copyright 2006-2010 Sun Microsystems, Inc.
			* Portions Copyright 2010 ForgeRock AS.
			*/
			package org.opends.server.extensions;

			@@ -278,6 +279,14 @@
			byte[] decodedBytes = Base64.decode(storedPassword.toString());

			saltLength = decodedBytes.length - SHA1_LENGTH;
			if (saltLength <= 0)
			{
			Message message =
			ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
			storedPassword.toString());
			ErrorLogger.logError(message);
			return false;
			}
			saltBytes = new byte[saltLength];
			System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA1_LENGTH);
			System.arraycopy(decodedBytes, SHA1_LENGTH, saltBytes, 0,

			@@ -283,6 +283,14 @@
			byte[] decodedBytes = Base64.decode(storedPassword.toString());

			saltLength = decodedBytes.length - SHA256_LENGTH;
			if (saltLength <= 0)
			{
			Message message =
			ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
			storedPassword.toString());
			ErrorLogger.logError(message);
			return false;
			}
			saltBytes = new byte[saltLength];
			System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA256_LENGTH);
			System.arraycopy(decodedBytes, SHA256_LENGTH, saltBytes, 0,

			@@ -284,6 +284,14 @@
			byte[] decodedBytes = Base64.decode(storedPassword.toString());

			saltLength = decodedBytes.length - SHA384_LENGTH;
			if (saltLength <= 0)
			{
			Message message =
			ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
			storedPassword.toString());
			ErrorLogger.logError(message);
			return false;
			}
			saltBytes = new byte[saltLength];
			System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA384_LENGTH);
			System.arraycopy(decodedBytes, SHA384_LENGTH, saltBytes, 0,

			@@ -283,6 +283,14 @@
			byte[] decodedBytes = Base64.decode(storedPassword.toString());

			saltLength = decodedBytes.length - SHA512_LENGTH;
			if (saltLength <= 0)
			{
			Message message =
			ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
			storedPassword.toString());
			ErrorLogger.logError(message);
			return false;
			}
			saltBytes = new byte[saltLength];
			System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA512_LENGTH);
			System.arraycopy(decodedBytes, SHA512_LENGTH, saltBytes, 0,

			@@ -99,7 +99,7 @@
			{
			new Object[] { "secret", "{SSHA256}xIar81hLva6DoMGVtk5WWfJTnBvkyAsYkj0phSdBBDW2DC1dXI79cw==" }
			};
			}
			}

			@Test(dataProvider = "testSSHA256Passwords")
			public void testAuthSSHA256Passwords(

			@@ -23,16 +23,23 @@
			*
			*
			* Copyright 2006-2008 Sun Microsystems, Inc.
			* Portions Copyright 2010 ForgeRock AS.
			*/
			package org.opends.server.extensions;


			import static org.testng.Assert.*;
			import org.testng.annotations.DataProvider;
			import org.testng.annotations.Test;

			import org.opends.server.TestCaseUtils;

			import org.opends.server.admin.server.AdminTestCaseUtils;
			import org.opends.server.admin.std.meta.
			SaltedSHA384PasswordStorageSchemeCfgDefn;
			import org.opends.server.admin.std.server.SaltedSHA384PasswordStorageSchemeCfg;
			import org.opends.server.api.PasswordStorageScheme;
			import org.opends.server.types.Entry;



			@@ -74,5 +81,67 @@
			scheme.initializePasswordStorageScheme(configuration);
			return scheme;
			}

			/**
			* Retrieves a set of passwords (plain and SSHA384 encrypted) that may
			* be used to test the compatibility of SSHA384 passwords.
			* The encrypted versions have been provided by external tools or
			* users
			*
			* @return A set of couple (cleartext, encrypted) passwords that
			* may be used to test the SSHA384 password storage scheme
			*/

			@DataProvider(name = "testSSHA384Passwords")
			public Object[][] getTestSSHA384Passwords()
			throws Exception
			{
			return new Object[][]
			{
			// Note that this test password has been generated with OpenDJ
			// Ideally, they should come from other projects, programs
			new Object[] { "secret", "{SSHA384}+Cw4SXSlJ9q++MCoOan5nWEcLEAMeRo4Y+1gmcZ8JinT9fz/5QG+npm8pQv2J2skOHy+FioGcig=" }
			};
			}

			@Test(dataProvider = "testSSHA384Passwords")
			public void testAuthSSHA384Passwords(
			String plaintextPassword,
			String encodedPassword) throws Exception
			{
			// Start/clear-out the memory backend
			TestCaseUtils.initializeTestBackend(true);

			boolean allowPreencodedDefault = setAllowPreencodedPasswords(true);

			try {

			Entry userEntry = TestCaseUtils.makeEntry(
			"dn: uid=testSSHA384.user,o=test",
			"objectClass: top",
			"objectClass: person",
			"objectClass: organizationalPerson",
			"objectClass: inetOrgPerson",
			"uid: testSSHA384.user",
			"givenName: TestSSHA384",
			"sn: User",
			"cn: TestSSHA384 User",
			"userPassword: " + encodedPassword);


			// Add the entry
			TestCaseUtils.addEntry(userEntry);

			assertTrue(TestCaseUtils.canBind("uid=testSSHA384.user,o=test",
			plaintextPassword),
			"Failed to bind when pre-encoded password = \"" +
			encodedPassword + "\" and " +
			"plaintext password = \"" +
			plaintextPassword + "\"" );
			} finally {
			setAllowPreencodedPasswords(allowPreencodedDefault);
			}
			}

			}

			@@ -100,7 +100,7 @@
			{
			new Object[] { "secret", "{SSHA512}8gRXO3lD2fGN3JIhbNJOsh31IRFKnWbDNl+cPH3HoJCkUpxZPG617TnN6Nvl2mVMSBLlzPu2eMpOhCDKoolNG6QCsYf2hppQTAVaqfx25PUJ1ngbuBiNDCpK6Xj5PYZiFwa+cpkY/Pzs77bLn3VMxmHhwa+vowfGhy5RRW+6npQ=" }
			};
			}
			}

			@Test(dataProvider = "testSSHA512Passwords")
			public void testAuthSSHA512Passwords(