public void setSecurityFactory(OSecurityFactory factory) { if (factory != null) securityFactory = factory; else securityFactory = new OSecuritySharedFactory(); }
public OSecurity newSecurity() { if (securityFactory != null) return securityFactory.newSecurity(); return null; } }
public static final String encryptPassword(final String iPassword) { return OSecurityManager.instance() .createHash(iPassword, OGlobalConfiguration.SECURITY_USER_PASSWORD_DEFAULT_ALGORITHM.getValueAsString(), true); }
public boolean checkPassword(final String iPassword) { return OSecurityManager.instance().checkPassword(iPassword, (String) document.field(PASSWORD_FIELD)); }
public String createHashWithSalt(final String iPassword, final int iIterations, final String algorithm) { final SecureRandom random = new SecureRandom(); final byte[] salt = new byte[SALT_SIZE]; random.nextBytes(salt); // Hash the password final byte[] hash = getPbkdf2(iPassword, salt, iIterations, HASH_SIZE, validateAlgorithm(algorithm)); return byteArrayToHexStr(hash) + ":" + byteArrayToHexStr(salt) + ":" + iIterations; }
/** * Checks if an hash string matches a password, based on the algorithm found on hash string. * * @param iHash * Hash string. Can contain the algorithm as prefix in the format <code>{ALGORITHM}-HASH</code>. * @param iPassword * @return */ public boolean checkPassword(final String iPassword, final String iHash) { if (iHash.startsWith(HASH_ALGORITHM_PREFIX)) { final String s = iHash.substring(HASH_ALGORITHM_PREFIX.length()); return createSHA256(iPassword).equals(s); } else if (iHash.startsWith(PBKDF2_ALGORITHM_PREFIX)) { final String s = iHash.substring(PBKDF2_ALGORITHM_PREFIX.length()); return checkPasswordWithSalt(iPassword, s, PBKDF2_ALGORITHM); } else if (iHash.startsWith(PBKDF2_SHA256_ALGORITHM_PREFIX)) { final String s = iHash.substring(PBKDF2_SHA256_ALGORITHM_PREFIX.length()); return checkPasswordWithSalt(iPassword, s, PBKDF2_SHA256_ALGORITHM); } // Do not compare raw strings against each other, to avoid timing attacks. // Instead, hash them both with a cryptographic hash function and // compare their hashes with a constant-time comparison method. return MessageDigest.isEqual(digestSHA256(iPassword), digestSHA256(iHash)); }
public boolean checkPasswordWithSalt(final String iPassword, final String iHash, final String algorithm) { if (!isAlgorithmSupported(algorithm)) { OLogManager.instance().error(this, "The password hash algorithm is not supported: %s", null, algorithm); return false; } // SPLIT PARTS final String[] params = iHash.split(":"); if (params.length != 3) throw new IllegalArgumentException("Hash does not contain the requested parts: <hash>:<salt>:<iterations>"); final byte[] hash = hexToByteArray(params[0]); final byte[] salt = hexToByteArray(params[1]); final int iterations = Integer.parseInt(params[2]); final byte[] testHash = getPbkdf2(iPassword, salt, iterations, hash.length, algorithm); return MessageDigest.isEqual(hash, testHash); }
final String algorithm = validateAlgorithm(iAlgorithm); transformed = createSHA256(iInput); } else if (PBKDF2_ALGORITHM.equalsIgnoreCase(algorithm)) { transformed = createHashWithSalt(iInput, OGlobalConfiguration.SECURITY_USER_PASSWORD_SALT_ITERATIONS.getValueAsInteger(), algorithm); } else if (PBKDF2_SHA256_ALGORITHM.equalsIgnoreCase(algorithm)) { transformed = createHashWithSalt(iInput, OGlobalConfiguration.SECURITY_USER_PASSWORD_SALT_ITERATIONS.getValueAsInteger(), algorithm); } else
public String createSHA256(final String iInput) { return byteArrayToHexStr(digestSHA256(iInput)); }
@Override public Object execute(final Object iThis, final OIdentifiable iCurrentRecord, final OCommandContext iContext, final Object ioResult, final Object[] iParams) { if (iThis == null) return null; final String algorithm = iParams.length > 0 ? iParams[0].toString() : OSecurityManager.HASH_ALGORITHM; try { return OSecurityManager.createHash(iThis.toString(), algorithm); } catch (NoSuchAlgorithmException e) { throw OException.wrapException(new OCommandExecutionException("hash(): algorithm '" + algorithm + "' is not supported"), e); } catch (UnsupportedEncodingException e) { throw OException.wrapException(new OCommandExecutionException("hash(): encoding 'UTF-8' is not supported"), e); } } }
public static String createHash(final String iInput, String iAlgorithm) throws NoSuchAlgorithmException, UnsupportedEncodingException { if (iAlgorithm == null) iAlgorithm = HASH_ALGORITHM; final MessageDigest msgDigest = MessageDigest.getInstance(iAlgorithm); return byteArrayToHexStr(msgDigest.digest(iInput.getBytes("UTF-8"))); }
public boolean checkPasswordWithSalt(final String iPassword, final String iHash) { return checkPasswordWithSalt(iPassword, iHash, OGlobalConfiguration.SECURITY_USER_PASSWORD_DEFAULT_ALGORITHM.getValueAsString()); }
private String validateAlgorithm(final String iAlgorithm) { String validAlgo = iAlgorithm; if (!isAlgorithmSupported(iAlgorithm)) { // Downgrade it to PBKDF2_ALGORITHM. validAlgo = PBKDF2_ALGORITHM; OLogManager.instance().debug(this, "The %s algorithm is not supported, downgrading to %s", iAlgorithm, validAlgo); } return validAlgo; }
public String createHashWithSalt(final String iPassword) { return createHashWithSalt(iPassword, OGlobalConfiguration.SECURITY_USER_PASSWORD_SALT_ITERATIONS.getValueAsInteger(), OGlobalConfiguration.SECURITY_USER_PASSWORD_DEFAULT_ALGORITHM.getValueAsString()); }
private byte[] getPbkdf2(final String iPassword, final byte[] salt, final int iterations, final int bytes, final String algorithm) { String cacheKey = null; final String hashedPassword = createSHA256(iPassword + new String(salt)); if (SALT_CACHE != null) { // SEARCH IN CACHE FIRST cacheKey = hashedPassword + "|" + Arrays.toString(salt) + "|" + iterations + "|" + bytes; final byte[] encoded = SALT_CACHE.get(cacheKey); if (encoded != null) return encoded; } final PBEKeySpec spec = new PBEKeySpec(iPassword.toCharArray(), salt, iterations, bytes * 8); final SecretKeyFactory skf; try { skf = SecretKeyFactory.getInstance(algorithm); final byte[] encoded = skf.generateSecret(spec).getEncoded(); if (SALT_CACHE != null) { // SAVE IT IN CACHE SALT_CACHE.put(cacheKey, encoded); } return encoded; } catch (Exception e) { throw OException.wrapException(new OSecurityException("Cannot create a key with '" + algorithm + "' algorithm"), e); } }
@Override public OUser getUser(final String username) { OUser user = null; if (Orient.instance().getSecurity() != null) { // See if there's a system user first. user = Orient.instance().getSecurity().getSystemUser(username, getDatabase().getName()); } // If not found, try the local database. if (user == null) user = super.getUser(username); return user; } }
public static boolean encodePassword(final ODocument iDocument) { if (iDocument.field("name") == null) throw new OSecurityException("User name not found"); final String password = (String) iDocument.field("password"); if (password == null) throw new OSecurityException("User '" + iDocument.field("name") + "' has no password"); if (Orient.instance().getSecurity() != null) { Orient.instance().getSecurity().validatePassword(password); } if (!password.startsWith("{")) { iDocument.field("password", encryptPassword(password)); return true; } return false; }
public boolean checkPassword(final String iPassword) { return OSecurityManager.instance().checkPassword(iPassword, getPassword()); }