This is an automated email from the ASF dual-hosted git repository. juanpablo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 8812bcdc7e447ffd2742a56e5fc7420b1ecb948c Author: samhareem <[email protected]> AuthorDate: Wed Mar 24 18:43:00 2021 +0200 feat: Add SHA-256 support to getSaltedPassword-method --- .../main/java/org/apache/wiki/util/CryptoUtil.java | 31 ++++++++++++---------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/jspwiki-util/src/main/java/org/apache/wiki/util/CryptoUtil.java b/jspwiki-util/src/main/java/org/apache/wiki/util/CryptoUtil.java index 691a37b..d99fce3 100644 --- a/jspwiki-util/src/main/java/org/apache/wiki/util/CryptoUtil.java +++ b/jspwiki-util/src/main/java/org/apache/wiki/util/CryptoUtil.java @@ -35,6 +35,8 @@ public final class CryptoUtil { private static final String SSHA = "{SSHA}"; + private static final String SHA256 = "{SHA-256}"; + private static final Random RANDOM = new SecureRandom(); private static final int DEFAULT_SALT_SIZE = 8; @@ -118,8 +120,8 @@ public final class CryptoUtil /** * <p> - * Creates an RFC 2307-compliant salted, hashed password with the SHA1 - * MessageDigest algorithm. After the password is digested, the first 20 + * Creates an RFC 2307-compliant salted, hashed password with the SHA1 or SHA-256 + * MessageDigest algorithm. After the password is digested, the first 20 or 32 * bytes of the digest will be the actual password hash; the remaining bytes * will be a randomly generated salt of length {@link #DEFAULT_SALT_SIZE}, * for example: <blockquote><code>{SSHA}3cGWem65NCEkF5Ew5AEk45ak8LHUWAwPVXAyyw==</code></blockquote> @@ -136,23 +138,24 @@ public final class CryptoUtil * * @param password the password to be digested * @return the Base64-encoded password hash, prepended by - * <code>{SSHA}</code>. - * @throws NoSuchAlgorithmException If your JVM is completely b0rked and does not have SHA. + * <code>{SSHA}</code> or <code>{SHA256}</code>. + * @throws NoSuchAlgorithmException If your JVM does not supply the necessary algorithm. Should not happen. */ - public static String getSaltedPassword(final byte[] password ) throws NoSuchAlgorithmException + public static String getSaltedPassword(final byte[] password, final String algorithm ) throws NoSuchAlgorithmException { final byte[] salt = new byte[DEFAULT_SALT_SIZE]; RANDOM.nextBytes( salt ); - return getSaltedPassword( password, salt ); + + return getSaltedPassword( password, salt, algorithm ); } /** * <p> - * Helper method that creates an RFC 2307-compliant salted, hashed password with the SHA1 - * MessageDigest algorithm. After the password is digested, the first 20 + * Helper method that creates an RFC 2307-compliant salted, hashed password with the SHA1 or SHA256 + * MessageDigest algorithm. After the password is digested, the first 20 or 32 * bytes of the digest will be the actual password hash; the remaining bytes * will be the salt. Thus, supplying a password <code>testing123</code> - * and a random salt <code>foo</code> produces the hash: + * and a random salt <code>foo</code> produces the hash when using SHA1: * </p> * <blockquote><code>{SSHA}yfT8SRT/WoOuNuA6KbJeF10OznZmb28=</code></blockquote> * <p> @@ -161,12 +164,12 @@ public final class CryptoUtil * * @param password the password to be digested * @param salt the random salt - * @return the Base64-encoded password hash, prepended by <code>{SSHA}</code>. - * @throws NoSuchAlgorithmException If your JVM is totally b0rked and does not have SHA1. + * @return the Base64-encoded password hash, prepended by <code>{SSHA}</code> or <code>{SHA256}</code>. + * @throws NoSuchAlgorithmException If your JVM does not supply the necessary algorithm. Should not happen. */ - protected static String getSaltedPassword(final byte[] password, final byte[] salt ) throws NoSuchAlgorithmException + protected static String getSaltedPassword(final byte[] password, final byte[] salt, final String algorithm ) throws NoSuchAlgorithmException { - final MessageDigest digest = MessageDigest.getInstance( "SHA" ); + final MessageDigest digest = MessageDigest.getInstance( algorithm ); digest.update( password ); final byte[] hash = digest.digest( salt ); @@ -176,7 +179,7 @@ public final class CryptoUtil System.arraycopy(salt, 0, all, hash.length + 0, salt.length); final byte[] base64 = Base64.getEncoder().encode( all ); - return SSHA + new String( base64, StandardCharsets.UTF_8 ); + return algorithm + new String( base64, StandardCharsets.UTF_8 ); } /**
