This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 72f570bcf88ece0ccd56308e6831c24de4453a8d Author: Benoit Tellier <[email protected]> AuthorDate: Fri Dec 3 10:00:18 2021 +0700 JAMES-3674 DefaultUser.digestString should take salt into account --- .../apache/james/user/lib/model/DefaultUser.java | 27 +++++++++++----------- .../james/user/lib/model/DefaultUserTest.java | 9 ++++---- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/server/data/data-library/src/main/java/org/apache/james/user/lib/model/DefaultUser.java b/server/data/data-library/src/main/java/org/apache/james/user/lib/model/DefaultUser.java index 164ff05..c63f1cd 100644 --- a/server/data/data-library/src/main/java/org/apache/james/user/lib/model/DefaultUser.java +++ b/server/data/data-library/src/main/java/org/apache/james/user/lib/model/DefaultUser.java @@ -91,8 +91,7 @@ public class DefaultUser implements User, Serializable { @Override public boolean verifyPassword(String pass) { try { - String credentials = getCredentials(currentAlgorithm, pass); - String hashGuess = digestString(credentials, currentAlgorithm); + String hashGuess = digestString(pass, currentAlgorithm, userName.asString()); return hashedPassword.equals(hashGuess); } catch (NoSuchAlgorithmException nsae) { throw new RuntimeException("Security error: " + nsae); @@ -102,8 +101,7 @@ public class DefaultUser implements User, Serializable { @Override public boolean setPassword(String newPass) { try { - String newCredentials = getCredentials(preferredAlgorithm, newPass); - hashedPassword = digestString(newCredentials, preferredAlgorithm); + hashedPassword = digestString(newPass, preferredAlgorithm, userName.asString()); currentAlgorithm = preferredAlgorithm; return true; } catch (NoSuchAlgorithmException nsae) { @@ -111,13 +109,7 @@ public class DefaultUser implements User, Serializable { } } - private String getCredentials(Algorithm algorithm, String pass) { - if (algorithm.isSalted()) { - return userName.asString() + pass; - } else { - return pass; - } - } + /** * Method to access hash of password @@ -150,13 +142,14 @@ public class DefaultUser implements User, Serializable { * @throws NoSuchAlgorithmException * if the algorithm passed in cannot be found */ - static String digestString(String pass, Algorithm algorithm) throws NoSuchAlgorithmException { + static String digestString(String pass, Algorithm algorithm, String salt) throws NoSuchAlgorithmException { MessageDigest md; ByteArrayOutputStream bos; try { md = MessageDigest.getInstance(algorithm.getName()); - byte[] digest = md.digest(pass.getBytes(ISO_8859_1)); + String saltedPass = applySalt(algorithm, pass, salt); + byte[] digest = md.digest(saltedPass.getBytes(ISO_8859_1)); bos = new ByteArrayOutputStream(); OutputStream encodedStream = MimeUtility.encode(bos, "base64"); encodedStream.write(digest); @@ -168,4 +161,12 @@ public class DefaultUser implements User, Serializable { throw new RuntimeException("Fatal error", e); } } + + static String applySalt(Algorithm algorithm, String pass, String salt) { + if (algorithm.isSalted()) { + return salt + pass; + } else { + return pass; + } + } } diff --git a/server/data/data-library/src/test/java/org/apache/james/user/lib/model/DefaultUserTest.java b/server/data/data-library/src/test/java/org/apache/james/user/lib/model/DefaultUserTest.java index 3a79d64..87f9e2a 100644 --- a/server/data/data-library/src/test/java/org/apache/james/user/lib/model/DefaultUserTest.java +++ b/server/data/data-library/src/test/java/org/apache/james/user/lib/model/DefaultUserTest.java @@ -79,7 +79,8 @@ public class DefaultUserTest { @ParameterizedTest @MethodSource("sha1LegacyTestBed") void testSha1Legacy(String password, String expectedHash) throws Exception { - assertThat(DefaultUser.digestString(Optional.ofNullable(password).orElse(""), Algorithm.of("SHA-1", "legacy"))) + assertThat(DefaultUser.digestString(Optional.ofNullable(password).orElse(""), + Algorithm.of("SHA-1", "legacy"), "salt")) .isEqualTo(expectedHash); } @@ -94,7 +95,7 @@ public class DefaultUserTest { @ParameterizedTest @MethodSource("sha512LegacyTestBed") void testSha512Legacy(String password, String expectedHash) throws Exception { - assertThat(DefaultUser.digestString(password, Algorithm.of("SHA-512", "legacy"))) + assertThat(DefaultUser.digestString(password, Algorithm.of("SHA-512", "legacy"), "salt")) .isEqualTo(expectedHash); } @@ -109,7 +110,7 @@ public class DefaultUserTest { @ParameterizedTest @MethodSource("sha1TestBed") void testSha1(String password, String expectedHash) throws Exception { - assertThat(DefaultUser.digestString(Optional.ofNullable(password).orElse(""), Algorithm.of("SHA-1"))) + assertThat(DefaultUser.digestString(Optional.ofNullable(password).orElse(""), Algorithm.of("SHA-1"), "salt")) .isEqualTo(expectedHash); } @@ -124,7 +125,7 @@ public class DefaultUserTest { @ParameterizedTest @MethodSource("sha512TestBed") void testSha512(String password, String expectedHash) throws Exception { - assertThat(DefaultUser.digestString(password, Algorithm.of("SHA-512"))) + assertThat(DefaultUser.digestString(password, Algorithm.of("SHA-512"), "salt")) .isEqualTo(expectedHash); } } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
