Class PasswordUtil
- java.lang.Object
-
- org.apache.directory.api.ldap.model.password.PasswordUtil
-
public final class PasswordUtil extends Object
A utility class containing methods related to processing passwords.- Author:
- Apache Directory Project
-
-
Field Summary
Fields Modifier and Type Field Description static int
CRYPT_BCRYPT_LENGTH
The CRYPT (BCrypt) hash lengthstatic int
CRYPT_LENGTH
The CRYPT (DES) hash lengthstatic int
CRYPT_MD5_LENGTH
The CRYPT (MD5) hash lengthstatic int
CRYPT_SHA256_LENGTH
The CRYPT (SHA-256) hash lengthstatic int
CRYPT_SHA512_LENGTH
The CRYPT (SHA-512) hash lengthstatic int
MD5_LENGTH
The MD5 hash lengthstatic int
PKCS5S2_LENGTH
The PKCS5S2 hash lengthstatic int
SHA1_LENGTH
The SHA1 hash lengthstatic int
SHA256_LENGTH
The SHA256 hash lengthstatic int
SHA384_LENGTH
The SHA384 hash lengthstatic int
SHA512_LENGTH
The SHA512 hash length
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static boolean
compareCredentials(byte[] receivedCredentials, byte[] storedCredentials)
Compare the credentials.static byte[]
createStoragePassword(byte[] credentials, LdapSecurityConstants algorithm)
create a hashed password in a format that can be stored in the server.static byte[]
createStoragePassword(String credentials, LdapSecurityConstants algorithm)
static LdapSecurityConstants
findAlgorithm(byte[] credentials)
Get the algorithm from the stored password.static boolean
isPwdExpired(String pwdChangedZtime, int pwdMaxAgeSec)
checks if the given password's change time is older than the max agestatic PasswordDetails
splitCredentials(byte[] credentials)
Decompose the stored password in an algorithm, an eventual salt and the password itself.
-
-
-
Field Detail
-
SHA1_LENGTH
public static final int SHA1_LENGTH
The SHA1 hash length- See Also:
- Constant Field Values
-
SHA256_LENGTH
public static final int SHA256_LENGTH
The SHA256 hash length- See Also:
- Constant Field Values
-
SHA384_LENGTH
public static final int SHA384_LENGTH
The SHA384 hash length- See Also:
- Constant Field Values
-
SHA512_LENGTH
public static final int SHA512_LENGTH
The SHA512 hash length- See Also:
- Constant Field Values
-
MD5_LENGTH
public static final int MD5_LENGTH
The MD5 hash length- See Also:
- Constant Field Values
-
PKCS5S2_LENGTH
public static final int PKCS5S2_LENGTH
The PKCS5S2 hash length- See Also:
- Constant Field Values
-
CRYPT_LENGTH
public static final int CRYPT_LENGTH
The CRYPT (DES) hash length- See Also:
- Constant Field Values
-
CRYPT_MD5_LENGTH
public static final int CRYPT_MD5_LENGTH
The CRYPT (MD5) hash length- See Also:
- Constant Field Values
-
CRYPT_SHA256_LENGTH
public static final int CRYPT_SHA256_LENGTH
The CRYPT (SHA-256) hash length- See Also:
- Constant Field Values
-
CRYPT_SHA512_LENGTH
public static final int CRYPT_SHA512_LENGTH
The CRYPT (SHA-512) hash length- See Also:
- Constant Field Values
-
CRYPT_BCRYPT_LENGTH
public static final int CRYPT_BCRYPT_LENGTH
The CRYPT (BCrypt) hash length- See Also:
- Constant Field Values
-
-
Method Detail
-
findAlgorithm
public static LdapSecurityConstants findAlgorithm(byte[] credentials)
Get the algorithm from the stored password. It can be found on the beginning of the stored password, between curly brackets.- Parameters:
credentials
- the credentials of the user- Returns:
- the name of the algorithm to use
-
createStoragePassword
public static byte[] createStoragePassword(String credentials, LdapSecurityConstants algorithm)
- Parameters:
credentials
- The passwordalgorithm
- The algorithm to use- Returns:
- The resulting byte[] containing the paswword
- See Also:
createStoragePassword(byte[], LdapSecurityConstants)
-
createStoragePassword
public static byte[] createStoragePassword(byte[] credentials, LdapSecurityConstants algorithm)
create a hashed password in a format that can be stored in the server. If the specified algorithm requires a salt then a random salt of 8 byte size is used- Parameters:
credentials
- the plain text passwordalgorithm
- the hashing algorithm to be applied- Returns:
- the password after hashing with the given algorithm
-
compareCredentials
public static boolean compareCredentials(byte[] receivedCredentials, byte[] storedCredentials)
Compare the credentials. We have at least 6 algorithms to encrypt the password :- - SHA
- - SSHA (salted SHA)
- - SHA-2(256, 384 and 512 and their salted versions)
- - MD5
- - SMD5 (slated MD5)
- - PKCS5S2 (PBKDF2)
- - crypt (unix crypt)
- - plain text, ie no encryption.
If we get an encrypted password, it is prefixed by the used algorithm, between brackets : {SSHA}password ...
If the password is using SSHA, SMD5 or crypt, some 'salt' is added to the password :- - length(password) - 20, starting at 21st position for SSHA
- - length(password) - 16, starting at 16th position for SMD5
- - length(password) - 2, starting at 3rd position for crypt
For (S)SHA, SHA-256 and (S)MD5, we have to transform the password from Base64 encoded text to a byte[] before comparing the password with the stored one.
For PKCS5S2 the salt is stored in the beginning of the password
For crypt, we only have to remove the salt.
At the end, we use the digest() method for (S)SHA and (S)MD5, the crypt() method for the CRYPT algorithm and a straight comparison for PLAIN TEXT passwords.
The stored password is always using the unsalted form, and is stored as a bytes array.
- Parameters:
receivedCredentials
- the credentials provided by userstoredCredentials
- the credentials stored in the server- Returns:
- true if they are equal, false otherwise
-
splitCredentials
public static PasswordDetails splitCredentials(byte[] credentials)
Decompose the stored password in an algorithm, an eventual salt and the password itself. If the algorithm is SHA, SSHA, MD5 or SMD5, the part following the algorithm is base64 encoded- Parameters:
credentials
- The byte[] containing the credentials to split- Returns:
- The password
-
isPwdExpired
public static boolean isPwdExpired(String pwdChangedZtime, int pwdMaxAgeSec)
checks if the given password's change time is older than the max age- Parameters:
pwdChangedZtime
- time when the password was last changedpwdMaxAgeSec
- the max age value in seconds- Returns:
- true if expired, false otherwise
-
-