Package org.apache.directory.api.ldap.model.password

Class PasswordUtil

    • Method Detail

      • findAlgorithm

        public static LdapSecurityConstants findAlgorithm​(byte[] credentials)
        Get the algorithm from the stored password. It can be found on the beginning of the stored password, between curly brackets.
        Parameters:
        credentials - the credentials of the user
        Returns:
        the name of the algorithm to use

      • createStoragePassword

        public static byte[] createStoragePassword​(byte[] credentials,
                                           LdapSecurityConstants algorithm)
        create a hashed password in a format that can be stored in the server. If the specified algorithm requires a salt then a random salt of 8 byte size is used
        Parameters:
        credentials - the plain text password
        algorithm - the hashing algorithm to be applied
        Returns:
        the password after hashing with the given algorithm

      • compareCredentials

        public static boolean compareCredentials​(byte[] receivedCredentials,
                                         byte[] storedCredentials)
        Compare the credentials. We have at least 6 algorithms to encrypt the password :
        • - SHA
        • - SSHA (salted SHA)
        • - SHA-2(256, 384 and 512 and their salted versions)
        • - MD5
        • - SMD5 (slated MD5)
        • - PKCS5S2 (PBKDF2)
        • - crypt (unix crypt)
        • - plain text, ie no encryption.

        If we get an encrypted password, it is prefixed by the used algorithm, between brackets : {SSHA}password ...

        If the password is using SSHA, SMD5 or crypt, some 'salt' is added to the password :
        • - length(password) - 20, starting at 21st position for SSHA
        • - length(password) - 16, starting at 16th position for SMD5
        • - length(password) - 2, starting at 3rd position for crypt

        For (S)SHA, SHA-256 and (S)MD5, we have to transform the password from Base64 encoded text to a byte[] before comparing the password with the stored one.

        For PKCS5S2 the salt is stored in the beginning of the password

        For crypt, we only have to remove the salt.

        At the end, we use the digest() method for (S)SHA and (S)MD5, the crypt() method for the CRYPT algorithm and a straight comparison for PLAIN TEXT passwords.

        The stored password is always using the unsalted form, and is stored as a bytes array.

        Parameters:
        receivedCredentials - the credentials provided by user
        storedCredentials - the credentials stored in the server
        Returns:
        true if they are equal, false otherwise

      • splitCredentials

        public static PasswordDetails splitCredentials​(byte[] credentials)
        Decompose the stored password in an algorithm, an eventual salt and the password itself. If the algorithm is SHA, SSHA, MD5 or SMD5, the part following the algorithm is base64 encoded
        Parameters:
        credentials - The byte[] containing the credentials to split
        Returns:
        The password

      • isPwdExpired

        public static boolean isPwdExpired​(String pwdChangedZtime,
                                   int pwdMaxAgeSec,
                                   TimeProvider timeProvider)
        checks if the given password's change time is older than the max age
        Parameters:
        pwdChangedZtime - time when the password was last changed
        pwdMaxAgeSec - the max age value in seconds
        timeProvider - The TimeProvider instance to use
        Returns:
        true if expired, false otherwise