PasswordFactory.java
- /*
- * Copyright (c) 2002-2022, City of Paris
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice
- * and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright notice
- * and the following disclaimer in the documentation and/or other materials
- * provided with the distribution.
- *
- * 3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
- * contributors may be used to endorse or promote products derived from
- * this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- *
- * License 1.0
- */
- package fr.paris.lutece.portal.business.user.authentication;
- import java.security.MessageDigest;
- import java.security.NoSuchAlgorithmException;
- import java.security.SecureRandom;
- import java.security.spec.InvalidKeySpecException;
- import java.util.Arrays;
- import java.util.Random;
- import java.util.regex.Matcher;
- import java.util.regex.Pattern;
- import javax.crypto.SecretKeyFactory;
- import javax.crypto.spec.PBEKeySpec;
- import org.apache.commons.codec.DecoderException;
- import org.apache.commons.codec.binary.Hex;
- import fr.paris.lutece.portal.service.util.AppException;
- import fr.paris.lutece.portal.service.util.AppLogService;
- import fr.paris.lutece.portal.service.util.AppPropertiesService;
- import fr.paris.lutece.portal.service.util.CryptoService;
- import fr.paris.lutece.util.password.IPassword;
- import fr.paris.lutece.util.password.IPasswordFactory;
- /**
- * A factory for getting storable password representation
- */
- final class PasswordFactory implements IPasswordFactory
- {
- // storage types
- private static final String ERROR_PASSWORD_STORAGE = "Invalid stored password ";
- private static final String PBKDF2WITHHMACSHA1_STORAGE_TYPE = "PBKDF2";
- private static final String PBKDF2WITHHMACSHA512_STORAGE_TYPE = "PBKDF2WITHHMACSHA512";
- private static final String PLAINTEXT_STORAGE_TYPE = "PLAINTEXT";
- private static final String DUMMY_STORAGE_TYPE = "\0DUMMY\0";
- private static final String DUMMY_STORED_PASSWORD = DUMMY_STORAGE_TYPE + ":\0";
- @Override
- public IPassword getPassword( String strStoredPassword )
- {
- int storageTypeSeparatorIndex = strStoredPassword.indexOf( ':' );
- if ( storageTypeSeparatorIndex == -1 )
- {
- throw new IllegalArgumentException( strStoredPassword );
- }
- String storageType = strStoredPassword.substring( 0, storageTypeSeparatorIndex );
- String password = strStoredPassword.substring( storageTypeSeparatorIndex + 1 );
- switch( storageType )
- {
- case PLAINTEXT_STORAGE_TYPE:
- return new PlaintextPassword( password );
- case PBKDF2WITHHMACSHA1_STORAGE_TYPE:
- return new PBKDF2WithHmacSHA1Password( password );
- case PBKDF2WITHHMACSHA512_STORAGE_TYPE:
- return new PBKDF2WithHmacSHA512Password( password );
- case DUMMY_STORAGE_TYPE:
- return new DummyPassword( );
- default:
- return new DigestPassword( storageType, password );
- }
- }
- @Override
- public IPassword getPasswordFromCleartext( String strUserPassword )
- {
- return new PBKDF2WithHmacSHA512Password( strUserPassword, PBKDF2Password.PASSWORD_REPRESENTATION.CLEARTEXT );
- }
- @Override
- public IPassword getDummyPassword( )
- {
- return getPassword( DUMMY_STORED_PASSWORD );
- }
- /**
- * A Password stored using PBKDF2
- */
- private abstract static class PBKDF2Password implements IPassword
- {
- /**
- * Enum to specify if the password is constructed from cleartext or hashed form
- */
- enum PASSWORD_REPRESENTATION
- {
- CLEARTEXT,
- STORABLE
- }
- /** Storage format : iterations:hex(salt):hex(hash) */
- private static final Pattern FORMAT = Pattern.compile( "^(\\d+):([a-z0-9]+):([a-z0-9]+)$", Pattern.CASE_INSENSITIVE );
- private static final Random RANDOM;
- // init the random number generator
- static
- {
- Random rand;
- try
- {
- rand = SecureRandom.getInstance( "SHA1PRNG" );
- }
- catch( NoSuchAlgorithmException e )
- {
- AppLogService.error( "SHA1PRNG is not availabled. Picking the default SecureRandom.", e );
- rand = new SecureRandom( );
- }
- RANDOM = rand;
- }
- static final String PROPERTY_PASSWORD_HASH_ITERATIONS = "password.hash.iterations";
- static final int DEFAULT_HASH_ITERATIONS = 210000;
- private static final String PROPERTY_PASSWORD_HASH_LENGTH = "password.hash.length";
- /** number of iterations */
- final int _iterations;
- /** salt */
- private final byte [ ] _salt;
- /** hashed password */
- private final byte [ ] _hash;
- /**
- * Construct a password from the stored representation
- *
- * @param strStoredPassword
- * the stored representation
- */
- public PBKDF2Password( String strStoredPassword )
- {
- this( strStoredPassword, PASSWORD_REPRESENTATION.STORABLE );
- }
- /**
- * Construct a password
- *
- * @param strPassword
- * the password text
- * @param representation
- * representation of strPassword
- */
- public PBKDF2Password( String strPassword, PASSWORD_REPRESENTATION representation )
- {
- switch( representation )
- {
- case CLEARTEXT:
- _iterations = AppPropertiesService.getPropertyInt( PROPERTY_PASSWORD_HASH_ITERATIONS, DEFAULT_HASH_ITERATIONS );
- int hashLength = AppPropertiesService.getPropertyInt( PROPERTY_PASSWORD_HASH_LENGTH, 128 );
- try
- {
- _salt = new byte [ 16];
- RANDOM.nextBytes( _salt );
- PBEKeySpec spec = new PBEKeySpec( strPassword.toCharArray( ), _salt, _iterations, hashLength * 8 );
- SecretKeyFactory skf = SecretKeyFactory.getInstance( getAlgorithm( ) );
- _hash = skf.generateSecret( spec ).getEncoded( );
- }
- catch( NoSuchAlgorithmException | InvalidKeySpecException e )
- {
- throw new AppException( "Invalid Algo or key", e ); // should not happen
- }
- break;
- case STORABLE:
- Matcher matcher = FORMAT.matcher( strPassword );
- if ( !matcher.matches( ) || matcher.groupCount( ) != 3 )
- {
- throw new IllegalArgumentException( ERROR_PASSWORD_STORAGE + strPassword );
- }
- _iterations = Integer.valueOf( matcher.group( 1 ) );
- try
- {
- _salt = Hex.decodeHex( matcher.group( 2 ).toCharArray( ) );
- _hash = Hex.decodeHex( matcher.group( 3 ).toCharArray( ) );
- }
- catch( DecoderException e )
- {
- throw new IllegalArgumentException( ERROR_PASSWORD_STORAGE + strPassword );
- }
- break;
- default:
- throw new IllegalArgumentException( representation.toString( ) );
- }
- }
- /**
- * Get the PBKDF2 algorithm
- *
- * @return the PBKDF2 algorithm to use
- */
- protected abstract String getAlgorithm( );
- @Override
- public boolean check( String strCleartextPassword )
- {
- PBEKeySpec spec = new PBEKeySpec( strCleartextPassword.toCharArray( ), _salt, _iterations, _hash.length * 8 );
- try
- {
- SecretKeyFactory skf = SecretKeyFactory.getInstance( getAlgorithm( ) );
- byte [ ] testHash = skf.generateSecret( spec ).getEncoded( );
- return Arrays.equals( _hash, testHash );
- }
- catch( NoSuchAlgorithmException | InvalidKeySpecException e )
- {
- throw new AppException( "Invalid Algo or key", e ); // should not happen
- }
- }
- /**
- * Get the storage type identifier
- *
- * @return the storage type identifier
- */
- protected abstract String getStorageType( );
- @Override
- public String getStorableRepresentation( )
- {
- StringBuilder sb = new StringBuilder( );
- sb.append( getStorageType( ) ).append( ':' );
- sb.append( _iterations ).append( ':' ).append( Hex.encodeHex( _salt ) );
- sb.append( ':' ).append( Hex.encodeHex( _hash ) );
- return sb.toString( );
- }
- }
- /**
- * A Password stored using PBKDF2WithHmacSHA1
- */
- private static final class PBKDF2WithHmacSHA1Password extends PBKDF2Password
- {
- /**
- * Construct a password from the stored representation
- *
- * @param strStoredPassword
- * the stored representation
- */
- public PBKDF2WithHmacSHA1Password( String strStoredPassword )
- {
- super( strStoredPassword );
- }
- @Override
- public boolean isLegacy( )
- {
- return true;
- }
- @Override
- protected String getAlgorithm( )
- {
- return "PBKDF2WithHmacSHA1";
- }
- @Override
- protected String getStorageType( )
- {
- return PBKDF2WITHHMACSHA1_STORAGE_TYPE;
- }
- /**
- * Legacy passwords must not be stored.
- *
- * @return never returns
- * @throws UnsupportedOperationException
- * Always thrown because Legacy passwords must not be stored.
- */
- @Override
- public String getStorableRepresentation( )
- {
- throw new UnsupportedOperationException( "Must not store a legacy password" );
- }
- }
- /**
- * A Password stored using PBKDF2WithHmacSHA512
- */
- private static class PBKDF2WithHmacSHA512Password extends PBKDF2Password
- {
- /**
- * Construct a password from the stored representation
- *
- * @param strStoredPassword
- * the stored representation
- */
- public PBKDF2WithHmacSHA512Password( String strStoredPassword )
- {
- super( strStoredPassword );
- }
- /**
- * Construct a password
- *
- * @param strStoredPassword
- * the password text
- * @param representation
- * representation of strPassword
- */
- public PBKDF2WithHmacSHA512Password( String strStoredPassword, PASSWORD_REPRESENTATION representation )
- {
- super( strStoredPassword, representation );
- }
- @Override
- public boolean isLegacy( )
- {
- int iterations = AppPropertiesService.getPropertyInt( PROPERTY_PASSWORD_HASH_ITERATIONS, DEFAULT_HASH_ITERATIONS );
- return _iterations < iterations;
- }
- @Override
- protected String getAlgorithm( )
- {
- return "PBKDF2WithHmacSHA512";
- }
- @Override
- protected String getStorageType( )
- {
- return PBKDF2WITHHMACSHA512_STORAGE_TYPE;
- }
- }
- /**
- * Dummy password which never matches a user password, but takes the same time as the PBKDF2Password to do so.
- */
- private static final class DummyPassword extends PBKDF2WithHmacSHA512Password
- {
- DummyPassword( )
- {
- // take the same time to construct as a proper PBKDF2Password
- super( "", PASSWORD_REPRESENTATION.CLEARTEXT );
- }
- @Override
- public boolean check( String strCleartextPassword )
- {
- // take the same time to check as a proper PBKDF2Password
- super.check( strCleartextPassword );
- return false;
- }
- @Override
- public String getStorableRepresentation( )
- {
- throw new UnsupportedOperationException( "Must not store a dummy password" );
- }
- }
- /**
- * Legacy password implementation super class
- */
- private abstract static class LegacyPassword implements IPassword
- {
- /**
- * Legacy passwords are legacy
- *
- * @return <code>true</code>
- */
- @Override
- public final boolean isLegacy( )
- {
- return true;
- }
- /**
- * Legacy passwords must not be stored.
- *
- * @return never returns
- * @throws UnsupportedOperationException
- * Always thrown because Legacy passwords must not be stored.
- */
- @Override
- public final String getStorableRepresentation( )
- {
- throw new UnsupportedOperationException( "Passwords should not be stored without proper hashing and salting" );
- }
- }
- /**
- * Password stored as plaintext
- */
- private static final class PlaintextPassword extends LegacyPassword
- {
- /** the stored password */
- private final String _strPassword;
- /**
- * Constructor
- *
- * @param strStoredPassword
- * the stored password
- */
- public PlaintextPassword( String strStoredPassword )
- {
- _strPassword = strStoredPassword;
- }
- @Override
- public boolean check( String strCleartextPassword )
- {
- return _strPassword != null && _strPassword.equals( strCleartextPassword );
- }
- }
- /**
- * Password stored as {@link MessageDigest} output
- */
- private static final class DigestPassword extends LegacyPassword
- {
- /** the stored password */
- private final String _strPassword;
- /** the digest algorithm */
- private final String _strAlgorithm;
- /**
- * Constructor
- *
- * @param strAlgorithm
- * the digest algorithm
- * @param strStoredPassword
- * the stored password
- */
- public DigestPassword( String strAlgorithm, String strStoredPassword )
- {
- _strPassword = strStoredPassword;
- // check for algorithm support
- try
- {
- MessageDigest.getInstance( strAlgorithm );
- }
- catch( NoSuchAlgorithmException e )
- {
- throw new IllegalArgumentException( e );
- }
- _strAlgorithm = strAlgorithm;
- }
- @Override
- public boolean check( String strCleartextPassword )
- {
- return _strPassword != null && _strPassword.equals( CryptoService.encrypt( strCleartextPassword, _strAlgorithm ) );
- }
- }
- }