You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2021/12/08 03:39:55 UTC
[james-project] 02/09: JAMES-3674 DefaultUser.digestString should take salt into account
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 72f570bcf88ece0ccd56308e6831c24de4453a8d
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Fri Dec 3 10:00:18 2021 +0700
JAMES-3674 DefaultUser.digestString should take salt into account
---
.../apache/james/user/lib/model/DefaultUser.java | 27 +++++++++++-----------
.../james/user/lib/model/DefaultUserTest.java | 9 ++++----
2 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/server/data/data-library/src/main/java/org/apache/james/user/lib/model/DefaultUser.java b/server/data/data-library/src/main/java/org/apache/james/user/lib/model/DefaultUser.java
index 164ff05..c63f1cd 100644
--- a/server/data/data-library/src/main/java/org/apache/james/user/lib/model/DefaultUser.java
+++ b/server/data/data-library/src/main/java/org/apache/james/user/lib/model/DefaultUser.java
@@ -91,8 +91,7 @@ public class DefaultUser implements User, Serializable {
@Override
public boolean verifyPassword(String pass) {
try {
- String credentials = getCredentials(currentAlgorithm, pass);
- String hashGuess = digestString(credentials, currentAlgorithm);
+ String hashGuess = digestString(pass, currentAlgorithm, userName.asString());
return hashedPassword.equals(hashGuess);
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException("Security error: " + nsae);
@@ -102,8 +101,7 @@ public class DefaultUser implements User, Serializable {
@Override
public boolean setPassword(String newPass) {
try {
- String newCredentials = getCredentials(preferredAlgorithm, newPass);
- hashedPassword = digestString(newCredentials, preferredAlgorithm);
+ hashedPassword = digestString(newPass, preferredAlgorithm, userName.asString());
currentAlgorithm = preferredAlgorithm;
return true;
} catch (NoSuchAlgorithmException nsae) {
@@ -111,13 +109,7 @@ public class DefaultUser implements User, Serializable {
}
}
- private String getCredentials(Algorithm algorithm, String pass) {
- if (algorithm.isSalted()) {
- return userName.asString() + pass;
- } else {
- return pass;
- }
- }
+
/**
* Method to access hash of password
@@ -150,13 +142,14 @@ public class DefaultUser implements User, Serializable {
* @throws NoSuchAlgorithmException
* if the algorithm passed in cannot be found
*/
- static String digestString(String pass, Algorithm algorithm) throws NoSuchAlgorithmException {
+ static String digestString(String pass, Algorithm algorithm, String salt) throws NoSuchAlgorithmException {
MessageDigest md;
ByteArrayOutputStream bos;
try {
md = MessageDigest.getInstance(algorithm.getName());
- byte[] digest = md.digest(pass.getBytes(ISO_8859_1));
+ String saltedPass = applySalt(algorithm, pass, salt);
+ byte[] digest = md.digest(saltedPass.getBytes(ISO_8859_1));
bos = new ByteArrayOutputStream();
OutputStream encodedStream = MimeUtility.encode(bos, "base64");
encodedStream.write(digest);
@@ -168,4 +161,12 @@ public class DefaultUser implements User, Serializable {
throw new RuntimeException("Fatal error", e);
}
}
+
+ static String applySalt(Algorithm algorithm, String pass, String salt) {
+ if (algorithm.isSalted()) {
+ return salt + pass;
+ } else {
+ return pass;
+ }
+ }
}
diff --git a/server/data/data-library/src/test/java/org/apache/james/user/lib/model/DefaultUserTest.java b/server/data/data-library/src/test/java/org/apache/james/user/lib/model/DefaultUserTest.java
index 3a79d64..87f9e2a 100644
--- a/server/data/data-library/src/test/java/org/apache/james/user/lib/model/DefaultUserTest.java
+++ b/server/data/data-library/src/test/java/org/apache/james/user/lib/model/DefaultUserTest.java
@@ -79,7 +79,8 @@ public class DefaultUserTest {
@ParameterizedTest
@MethodSource("sha1LegacyTestBed")
void testSha1Legacy(String password, String expectedHash) throws Exception {
- assertThat(DefaultUser.digestString(Optional.ofNullable(password).orElse(""), Algorithm.of("SHA-1", "legacy")))
+ assertThat(DefaultUser.digestString(Optional.ofNullable(password).orElse(""),
+ Algorithm.of("SHA-1", "legacy"), "salt"))
.isEqualTo(expectedHash);
}
@@ -94,7 +95,7 @@ public class DefaultUserTest {
@ParameterizedTest
@MethodSource("sha512LegacyTestBed")
void testSha512Legacy(String password, String expectedHash) throws Exception {
- assertThat(DefaultUser.digestString(password, Algorithm.of("SHA-512", "legacy")))
+ assertThat(DefaultUser.digestString(password, Algorithm.of("SHA-512", "legacy"), "salt"))
.isEqualTo(expectedHash);
}
@@ -109,7 +110,7 @@ public class DefaultUserTest {
@ParameterizedTest
@MethodSource("sha1TestBed")
void testSha1(String password, String expectedHash) throws Exception {
- assertThat(DefaultUser.digestString(Optional.ofNullable(password).orElse(""), Algorithm.of("SHA-1")))
+ assertThat(DefaultUser.digestString(Optional.ofNullable(password).orElse(""), Algorithm.of("SHA-1"), "salt"))
.isEqualTo(expectedHash);
}
@@ -124,7 +125,7 @@ public class DefaultUserTest {
@ParameterizedTest
@MethodSource("sha512TestBed")
void testSha512(String password, String expectedHash) throws Exception {
- assertThat(DefaultUser.digestString(password, Algorithm.of("SHA-512")))
+ assertThat(DefaultUser.digestString(password, Algorithm.of("SHA-512"), "salt"))
.isEqualTo(expectedHash);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org