You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by st...@apache.org on 2018/09/25 08:13:45 UTC
svn commit: r1841909 - in /jackrabbit/oak/trunk:
oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/
oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/
oak-security-spi/src/test/java/org/apache/jackrabbit/oa...
Author: stillalex
Date: Tue Sep 25 08:13:45 2018
New Revision: 1841909
URL: http://svn.apache.org/viewvc?rev=1841909&view=rev
Log:
OAK-7778 PasswordUtil#isPlainTextPassword doesn't validate PBKDF2 scheme
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java
jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java
jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java?rev=1841909&r1=1841908&r2=1841909&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java Tue Sep 25 08:13:45 2018
@@ -35,6 +35,7 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.user.Impersonation;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.test.NotExecutableException;
import org.junit.Test;
@@ -226,7 +227,7 @@ public class UserImportTest extends Abst
String pwValue = n.getProperty(UserConstants.REP_PASSWORD).getString();
assertFalse(plainPw.equals(pwValue));
- assertTrue(pwValue.toLowerCase().startsWith("{sha"));
+ assertTrue(pwValue.toLowerCase().startsWith("{" + PasswordUtil.DEFAULT_ALGORITHM.toLowerCase()));
}
/**
Modified: jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java?rev=1841909&r1=1841908&r2=1841909&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java (original)
+++ jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java Tue Sep 25 08:13:45 2018
@@ -50,7 +50,7 @@ public final class PasswordUtil {
/**
* @since OAK 1.0
*/
- private static final String PBKDF2_PREFIX = "PBKDF2";
+ static final String PBKDF2_PREFIX = "PBKDF2";
public static final String DEFAULT_ALGORITHM = "SHA-256";
public static final int DEFAULT_SALT_SIZE = 8;
@@ -159,7 +159,7 @@ public final class PasswordUtil {
* the given {@code hashedPassword} string.
*/
public static boolean isSame(@Nullable String hashedPassword, @NotNull String password) {
- if (hashedPassword == null) {
+ if (hashedPassword == null || password == null) {
return false;
}
try {
@@ -329,7 +329,11 @@ public final class PasswordUtil {
if (hashedPwd.charAt(0) == '{' && end > 0 && end < hashedPwd.length()-1) {
String algorithm = hashedPwd.substring(1, end);
try {
- MessageDigest.getInstance(algorithm);
+ if (algorithm.startsWith(PBKDF2_PREFIX)) {
+ SecretKeyFactory.getInstance(algorithm);
+ } else {
+ MessageDigest.getInstance(algorithm);
+ }
return algorithm;
} catch (NoSuchAlgorithmException e) {
log.debug("Invalid algorithm detected " + algorithm, e);
Modified: jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java?rev=1841909&r1=1841908&r2=1841909&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java (original)
+++ jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java Tue Sep 25 08:13:45 2018
@@ -33,6 +33,7 @@ import static org.junit.Assert.assertEqu
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import static org.junit.Assume.assumeFalse;
public class PasswordUtilTest {
@@ -115,6 +116,7 @@ public class PasswordUtilTest {
@Test
public void testBuildPasswordHashNoSaltNoIterations() throws Exception {
+ assumeFalse(PasswordUtil.DEFAULT_ALGORITHM.startsWith(PasswordUtil.PBKDF2_PREFIX));
String jr2Hash = "{"+PasswordUtil.DEFAULT_ALGORITHM+"}" + Text.digest(PasswordUtil.DEFAULT_ALGORITHM, "pw".getBytes("utf-8"));
assertTrue(PasswordUtil.isSame(jr2Hash, "pw"));
}
@@ -218,16 +220,19 @@ public class PasswordUtilTest {
}
@Test
- public void testPBKDF2WithHmacSHA1() throws Exception {
- String algo = "PBKDF2WithHmacSHA1";
+ public void testPBKDF2With() throws Exception {
+ // https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html
+ String algo = "PBKDF2WithHmacSHA512";
// test vector from http://tools.ietf.org/html/rfc6070
String pw = "pass\0word";
int iterations = 4096;
String hash = PasswordUtil.buildPasswordHash(pw, algo, 5, iterations);
- assertTrue(hash.startsWith("{PBKDF2WithHmacSHA1}"));
- int cntOctets = hash.substring(hash.lastIndexOf('-')+1).length() / 2;
+ assertTrue(hash.startsWith("{" + algo + "}"));
+ int cntOctets = hash.substring(hash.lastIndexOf('-') + 1).length() / 2;
assertEquals(16, cntOctets);
+
+ assertFalse(PasswordUtil.isPlainTextPassword(hash));
+ assertTrue(PasswordUtil.isSame(hash, pw));
}
-
}
\ No newline at end of file