You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by st...@apache.org on 2018/09/25 08:13:45 UTC
svn commit: r1841909 - in /jackrabbit/oak/trunk: oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/ oak-security-spi/src/test/java/org/apache/jackrabbit/oa...

Author: stillalex
Date: Tue Sep 25 08:13:45 2018
New Revision: 1841909

URL: http://svn.apache.org/viewvc?rev=1841909&view=rev
Log:
OAK-7778 PasswordUtil#isPlainTextPassword doesn't validate PBKDF2 scheme


Modified:
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java
    jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java
    jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java?rev=1841909&r1=1841908&r2=1841909&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserImportTest.java Tue Sep 25 08:13:45 2018
@@ -35,6 +35,7 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.user.Impersonation;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
 import org.apache.jackrabbit.test.NotExecutableException;
 import org.junit.Test;
 
@@ -226,7 +227,7 @@ public class UserImportTest extends Abst
 
         String pwValue = n.getProperty(UserConstants.REP_PASSWORD).getString();
         assertFalse(plainPw.equals(pwValue));
-        assertTrue(pwValue.toLowerCase().startsWith("{sha"));
+        assertTrue(pwValue.toLowerCase().startsWith("{" + PasswordUtil.DEFAULT_ALGORITHM.toLowerCase()));
     }
 
     /**

Modified: jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java?rev=1841909&r1=1841908&r2=1841909&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java (original)
+++ jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtil.java Tue Sep 25 08:13:45 2018
@@ -50,7 +50,7 @@ public final class PasswordUtil {
     /**
      * @since OAK 1.0
      */
-    private static final String PBKDF2_PREFIX = "PBKDF2";
+    static final String PBKDF2_PREFIX = "PBKDF2";
     
     public static final String DEFAULT_ALGORITHM = "SHA-256";
     public static final int DEFAULT_SALT_SIZE = 8;
@@ -159,7 +159,7 @@ public final class PasswordUtil {
      * the given {@code hashedPassword} string.
      */
     public static boolean isSame(@Nullable String hashedPassword, @NotNull String password) {
-        if (hashedPassword == null) {
+        if (hashedPassword == null || password == null) {
             return false;
         }
         try {
@@ -329,7 +329,11 @@ public final class PasswordUtil {
             if (hashedPwd.charAt(0) == '{' && end > 0 && end < hashedPwd.length()-1) {
                 String algorithm = hashedPwd.substring(1, end);
                 try {
-                    MessageDigest.getInstance(algorithm);
+                    if (algorithm.startsWith(PBKDF2_PREFIX)) {
+                        SecretKeyFactory.getInstance(algorithm);
+                    } else {
+                        MessageDigest.getInstance(algorithm);
+                    }
                     return algorithm;
                 } catch (NoSuchAlgorithmException e) {
                     log.debug("Invalid algorithm detected " + algorithm, e);

Modified: jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java?rev=1841909&r1=1841908&r2=1841909&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java (original)
+++ jackrabbit/oak/trunk/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/user/util/PasswordUtilTest.java Tue Sep 25 08:13:45 2018
@@ -33,6 +33,7 @@ import static org.junit.Assert.assertEqu
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import static org.junit.Assume.assumeFalse;
 
 public class PasswordUtilTest {
 
@@ -115,6 +116,7 @@ public class PasswordUtilTest {
 
     @Test
     public void testBuildPasswordHashNoSaltNoIterations() throws Exception {
+        assumeFalse(PasswordUtil.DEFAULT_ALGORITHM.startsWith(PasswordUtil.PBKDF2_PREFIX));
         String jr2Hash = "{"+PasswordUtil.DEFAULT_ALGORITHM+"}" + Text.digest(PasswordUtil.DEFAULT_ALGORITHM, "pw".getBytes("utf-8"));
         assertTrue(PasswordUtil.isSame(jr2Hash, "pw"));
     }
@@ -218,16 +220,19 @@ public class PasswordUtilTest {
     }
 
     @Test
-    public void testPBKDF2WithHmacSHA1() throws Exception {
-        String algo = "PBKDF2WithHmacSHA1";
+    public void testPBKDF2With() throws Exception {
+        // https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html
+        String algo = "PBKDF2WithHmacSHA512";
         // test vector from http://tools.ietf.org/html/rfc6070
         String pw = "pass\0word";
         int iterations = 4096;
 
         String hash = PasswordUtil.buildPasswordHash(pw, algo, 5, iterations);
-        assertTrue(hash.startsWith("{PBKDF2WithHmacSHA1}"));
-        int cntOctets = hash.substring(hash.lastIndexOf('-')+1).length() / 2;
+        assertTrue(hash.startsWith("{" + algo + "}"));
+        int cntOctets = hash.substring(hash.lastIndexOf('-') + 1).length() / 2;
         assertEquals(16, cntOctets);
+
+        assertFalse(PasswordUtil.isPlainTextPassword(hash));
+        assertTrue(PasswordUtil.isSame(hash, pw));
     }
-    
 }
\ No newline at end of file