Author: stillalex Date: Tue Sep 25 08:13:45 2018 New Revision: 1841909 URL: http://svn.apache.org/viewvc?rev=1841909&view=rev Log: OAK-7778 PasswordUtil#isPlainTextPassword doesn't validate PBKDF2 scheme
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java?rev=1841909&r1=1841908&r2=1841909&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java (original) +++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java Tue Sep 25 08:13:45 2018 @@ -35,6 +35,7 @@ import org.apache.jackrabbit.api.securit import org.apache.jackrabbit.api.security.user.Impersonation; import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.oak.spi.security.user.UserConstants; +import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil; import org.apache.jackrabbit.test.NotExecutableException; import org.junit.Test; @@ -226,7 +227,7 @@ public class UserImportTest extends Abst String pwValue = n.getProperty(UserConstants.REP_PASSWORD).getString(); assertFalse(plainPw.equals(pwValue)); - assertTrue(pwValue.toLowerCase().startsWith("{sha")); + assertTrue(pwValue.toLowerCase().startsWith("{" + PasswordUtil.DEFAULT_ALGORITHM.toLowerCase())); } /** Modified: jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java?rev=1841909&r1=1841908&r2=1841909&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java (original) +++ jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java Tue Sep 25 08:13:45 2018 @@ -50,7 +50,7 @@ public final class PasswordUtil { /** * @since OAK 1.0 */ - private static final String PBKDF2_PREFIX = "PBKDF2"; + static final String PBKDF2_PREFIX = "PBKDF2"; public static final String DEFAULT_ALGORITHM = "SHA-256"; public static final int DEFAULT_SALT_SIZE = 8; @@ -159,7 +159,7 @@ public final class PasswordUtil { * the given {@code hashedPassword} string. */ public static boolean isSame(@Nullable String hashedPassword, @NotNull String password) { - if (hashedPassword == null) { + if (hashedPassword == null || password == null) { return false; } try { @@ -329,7 +329,11 @@ public final class PasswordUtil { if (hashedPwd.charAt(0) == '{' && end > 0 && end < hashedPwd.length()-1) { String algorithm = hashedPwd.substring(1, end); try { - MessageDigest.getInstance(algorithm); + if (algorithm.startsWith(PBKDF2_PREFIX)) { + SecretKeyFactory.getInstance(algorithm); + } else { + MessageDigest.getInstance(algorithm); + } return algorithm; } catch (NoSuchAlgorithmException e) { log.debug("Invalid algorithm detected " + algorithm, e); Modified: jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java?rev=1841909&r1=1841908&r2=1841909&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java (original) +++ jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java Tue Sep 25 08:13:45 2018 @@ -33,6 +33,7 @@ import static org.junit.Assert.assertEqu import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import static org.junit.Assume.assumeFalse; public class PasswordUtilTest { @@ -115,6 +116,7 @@ public class PasswordUtilTest { @Test public void testBuildPasswordHashNoSaltNoIterations() throws Exception { + assumeFalse(PasswordUtil.DEFAULT_ALGORITHM.startsWith(PasswordUtil.PBKDF2_PREFIX)); String jr2Hash = "{"+PasswordUtil.DEFAULT_ALGORITHM+"}" + Text.digest(PasswordUtil.DEFAULT_ALGORITHM, "pw".getBytes("utf-8")); assertTrue(PasswordUtil.isSame(jr2Hash, "pw")); } @@ -218,16 +220,19 @@ public class PasswordUtilTest { } @Test - public void testPBKDF2WithHmacSHA1() throws Exception { - String algo = "PBKDF2WithHmacSHA1"; + public void testPBKDF2With() throws Exception { + // https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html + String algo = "PBKDF2WithHmacSHA512"; // test vector from http://tools.ietf.org/html/rfc6070 String pw = "pass\0word"; int iterations = 4096; String hash = PasswordUtil.buildPasswordHash(pw, algo, 5, iterations); - assertTrue(hash.startsWith("{PBKDF2WithHmacSHA1}")); - int cntOctets = hash.substring(hash.lastIndexOf('-')+1).length() / 2; + assertTrue(hash.startsWith("{" + algo + "}")); + int cntOctets = hash.substring(hash.lastIndexOf('-') + 1).length() / 2; assertEquals(16, cntOctets); + + assertFalse(PasswordUtil.isPlainTextPassword(hash)); + assertTrue(PasswordUtil.isSame(hash, pw)); } - } \ No newline at end of file