org.apache.directory.api.ldap.model.password
Class PasswordUtil

java.lang.Object
  org.apache.directory.api.ldap.model.password.PasswordUtil

public class PasswordUtil
extends Object

A utility class containing methods related to processing passwords.

Author:

Apache Directory Project

Field Summary

static int	MD5_LENGTH The MD5 hash length
static int	SHA1_LENGTH The SHA1 hash length
static int	SHA256_LENGTH The SHA256 hash length
static int	SHA384_LENGTH The SHA384 hash length
static int	SHA512_LENGTH The SHA512 hash length

Constructor Summary

PasswordUtil()

Method Summary

static boolean	compareCredentials(byte[] receivedCredentials, byte[] storedCredentials) Compare the credentials.
static byte[]	createStoragePassword(byte[] credentials, LdapSecurityConstants algorithm) create a hashed password in a format that can be stored in the server.
static byte[]	createStoragePassword(String credentials, LdapSecurityConstants algorithm)
static byte[]	encryptPassword(byte[] credentials, LdapSecurityConstants algorithm, byte[] salt) encrypts the given credentials based on the algorithm name and optional salt
static LdapSecurityConstants	findAlgorithm(byte[] credentials) Get the algorithm from the stored password.
static boolean	isPwdExpired(String pwdChangedZtime, int pwdMaxAgeSec) checks if the given password's change time is older than the max age
static byte[]	splitCredentials(byte[] credentials, EncryptionMethod encryptionMethod) Decompose the stored password in an algorithm, an eventual salt and the password itself.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SHA1_LENGTH

public static final int SHA1_LENGTH

The SHA1 hash length

See Also:

Constant Field Values

SHA256_LENGTH

public static final int SHA256_LENGTH

The SHA256 hash length

See Also:

Constant Field Values

SHA384_LENGTH

public static final int SHA384_LENGTH

The SHA384 hash length

See Also:

Constant Field Values

SHA512_LENGTH

public static final int SHA512_LENGTH

The SHA512 hash length

See Also:

Constant Field Values

MD5_LENGTH

public static final int MD5_LENGTH

The MD5 hash length

See Also:

Constant Field Values

Constructor Detail

PasswordUtil

public PasswordUtil()

Method Detail

findAlgorithm

public static LdapSecurityConstants findAlgorithm(byte[] credentials)

Get the algorithm from the stored password. It can be found on the beginning of the stored password, between curly brackets.

Parameters:

credentials - the credentials of the user

Returns:

the name of the algorithm to use

createStoragePassword

public static byte[] createStoragePassword(String credentials,
                                           LdapSecurityConstants algorithm)

See Also:

createStoragePassword(byte[], LdapSecurityConstants)

createStoragePassword

public static byte[] createStoragePassword(byte[] credentials,
                                           LdapSecurityConstants algorithm)

create a hashed password in a format that can be stored in the server. If the specified algorithm requires a salt then a random salt of 8 byte size is used

Parameters:

credentials - the plain text password

algorithm - the hashing algorithm to be applied

Returns:

the password after hashing with the given algorithm

compareCredentials

public static boolean compareCredentials(byte[] receivedCredentials,
                                         byte[] storedCredentials)

Compare the credentials. We have at least 6 algorithms to encrypt the password :

• - SHA
• - SSHA (salted SHA)
• - SHA-2(256, 384 and 512 and their salted versions)
• - MD5
• - SMD5 (slated MD5)
• - crypt (unix crypt)
• - plain text, ie no encryption.

If we get an encrypted password, it is prefixed by the used algorithm, between brackets : {SSHA}password ...

If the password is using SSHA, SMD5 or crypt, some 'salt' is added to the password :

• - length(password) - 20, starting at 21th position for SSHA
• - length(password) - 16, starting at 16th position for SMD5
• - length(password) - 2, starting at 3rd position for crypt

For (S)SHA, SHA-256 and (S)MD5, we have to transform the password from Base64 encoded text to a byte[] before comparing the password with the stored one.

For crypt, we only have to remove the salt.

At the end, we use the digest() method for (S)SHA and (S)MD5, the crypt() method for the CRYPT algorithm and a straight comparison for PLAIN TEXT passwords.

The stored password is always using the unsalted form, and is stored as a bytes array.

Parameters:

receivedCredentials - the credentials provided by user

storedCredentials - the credentials stored in the server

Returns:

true if they are equal, false otherwise

encryptPassword

public static byte[] encryptPassword(byte[] credentials,
                                     LdapSecurityConstants algorithm,
                                     byte[] salt)

encrypts the given credentials based on the algorithm name and optional salt

Parameters:

credentials - the credentials to be encrypted

algorithm - the algorithm to be used for encrypting the credentials

salt - value to be used as salt (optional)

Returns:

the encrypted credentials

splitCredentials

public static byte[] splitCredentials(byte[] credentials,
                                      EncryptionMethod encryptionMethod)

Decompose the stored password in an algorithm, an eventual salt and the password itself. If the algorithm is SHA, SSHA, MD5 or SMD5, the part following the algorithm is base64 encoded

Parameters:

encryptionMethod - The structure to feed

credentials - the credentials to split

Returns:

The password

isPwdExpired

public static boolean isPwdExpired(String pwdChangedZtime,
                                   int pwdMaxAgeSec)

checks if the given password's change time is older than the max age

Parameters:

pwdChangedZtime - time when the password was last changed

pwdMaxAgeSec - the max age value in seconds

Returns:

true if expired, false otherwise