001 /*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements. See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License. You may obtain a copy of the License at
008 *
009 * http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017 package org.apache.commons.codec.digest;
018
019 import java.security.MessageDigest;
020 import java.util.Arrays;
021 import java.util.regex.Matcher;
022 import java.util.regex.Pattern;
023
024 import org.apache.commons.codec.Charsets;
025
026 /**
027 * The libc crypt() "$1$" and Apache "$apr1$" MD5-based hash algorithm.
028 * <p>
029 * Based on the public domain ("beer-ware") C implementation from Poul-Henning Kamp which was found at: <a
030 * href="http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libcrypt/crypt-md5.c?rev=1.1;content-type=text%2Fplain">
031 * crypt-md5.c @ freebsd.org</a><br/>
032 * <p>
033 * Source:
034 *
035 * <pre>
036 * $FreeBSD: src/lib/libcrypt/crypt-md5.c,v 1.1 1999/01/21 13:50:09 brandon Exp $
037 * </pre>
038 * <p>
039 * Conversion to Kotlin and from there to Java in 2012.
040 * <p>
041 * The C style comments are from the original C code, the ones with "//" from the port.
042 * <p>
043 * This class is immutable and thread-safe.
044 *
045 * @version $Id: Md5Crypt.html 889935 2013-12-11 05:05:13Z ggregory $
046 * @since 1.7
047 */
048 public class Md5Crypt {
049
050 /** The Identifier of the Apache variant. */
051 static final String APR1_PREFIX = "$apr1$";
052
053 /** The number of bytes of the final hash. */
054 private static final int BLOCKSIZE = 16;
055
056 /** The Identifier of this crypt() variant. */
057 static final String MD5_PREFIX = "$1$";
058
059 /** The number of rounds of the big loop. */
060 private static final int ROUNDS = 1000;
061
062 /**
063 * See {@link #apr1Crypt(String, String)} for details.
064 *
065 * @throws RuntimeException
066 * when a {@link java.security.NoSuchAlgorithmException} is caught. *
067 */
068 public static String apr1Crypt(byte[] keyBytes) {
069 return apr1Crypt(keyBytes, APR1_PREFIX + B64.getRandomSalt(8));
070 }
071
072 /**
073 * See {@link #apr1Crypt(String, String)} for details.
074 *
075 * @throws IllegalArgumentException
076 * if the salt does not match the allowed pattern
077 * @throws RuntimeException
078 * when a {@link java.security.NoSuchAlgorithmException} is caught.
079 */
080 public static String apr1Crypt(byte[] keyBytes, String salt) {
081 // to make the md5Crypt regex happy
082 if (salt != null && !salt.startsWith(APR1_PREFIX)) {
083 salt = APR1_PREFIX + salt;
084 }
085 return Md5Crypt.md5Crypt(keyBytes, salt, APR1_PREFIX);
086 }
087
088 /**
089 * See {@link #apr1Crypt(String, String)} for details.
090 *
091 * @throws RuntimeException
092 * when a {@link java.security.NoSuchAlgorithmException} is caught.
093 */
094 public static String apr1Crypt(String keyBytes) {
095 return apr1Crypt(keyBytes.getBytes(Charsets.UTF_8));
096 }
097
098 /**
099 * Generates an Apache htpasswd compatible "$apr1$" MD5 based hash value.
100 * <p>
101 * The algorithm is identical to the crypt(3) "$1$" one but produces different outputs due to the different salt
102 * prefix.
103 *
104 * @param keyBytes
105 * plaintext string that should be hashed.
106 * @param salt
107 * salt string including the prefix and optionally garbage at the end. Will be generated randomly if
108 * null.
109 * @return computed hash value
110 * @throws IllegalArgumentException
111 * if the salt does not match the allowed pattern
112 * @throws RuntimeException
113 * when a {@link java.security.NoSuchAlgorithmException} is caught.
114 */
115 public static String apr1Crypt(String keyBytes, String salt) {
116 return apr1Crypt(keyBytes.getBytes(Charsets.UTF_8), salt);
117 }
118
119 /**
120 * Generates a libc6 crypt() compatible "$1$" hash value.
121 * <p>
122 * See {@link Crypt#crypt(String, String)} for details.
123 *
124 * @throws RuntimeException
125 * when a {@link java.security.NoSuchAlgorithmException} is caught.
126 */
127 public static String md5Crypt(final byte[] keyBytes) {
128 return md5Crypt(keyBytes, MD5_PREFIX + B64.getRandomSalt(8));
129 }
130
131 /**
132 * Generates a libc crypt() compatible "$1$" MD5 based hash value.
133 * <p>
134 * See {@link Crypt#crypt(String, String)} for details.
135 *
136 * @param keyBytes
137 * plaintext string that should be hashed.
138 * @param salt
139 * salt string including the prefix and optionally garbage at the end. Will be generated randomly if
140 * null.
141 * @return computed hash value
142 * @throws IllegalArgumentException
143 * if the salt does not match the allowed pattern
144 * @throws RuntimeException
145 * when a {@link java.security.NoSuchAlgorithmException} is caught.
146 */
147 public static String md5Crypt(byte[] keyBytes, String salt) {
148 return md5Crypt(keyBytes, salt, MD5_PREFIX);
149 }
150
151 /**
152 * Generates a libc6 crypt() "$1$" or Apache htpasswd "$apr1$" hash value.
153 * <p>
154 * See {@link Crypt#crypt(String, String)} or {@link #apr1Crypt(String, String)} for details.
155 *
156 * @throws IllegalArgumentException
157 * if the salt does not match the allowed pattern
158 * @throws RuntimeException
159 * when a {@link java.security.NoSuchAlgorithmException} is caught.
160 */
161 public static String md5Crypt(final byte[] keyBytes, final String salt, final String prefix) {
162 int keyLen = keyBytes.length;
163
164 // Extract the real salt from the given string which can be a complete hash string.
165 String saltString;
166 if (salt == null) {
167 saltString = B64.getRandomSalt(8);
168 } else {
169 final Pattern p = Pattern.compile("^" + prefix.replace("$", "\\$") + "([\\.\\/a-zA-Z0-9]{1,8}).*");
170 final Matcher m = p.matcher(salt);
171 if (m == null || !m.find()) {
172 throw new IllegalArgumentException("Invalid salt value: " + salt);
173 }
174 saltString = m.group(1);
175 }
176 byte[] saltBytes = saltString.getBytes(Charsets.UTF_8);
177
178 MessageDigest ctx = DigestUtils.getMd5Digest();
179
180 /*
181 * The password first, since that is what is most unknown
182 */
183 ctx.update(keyBytes);
184
185 /*
186 * Then our magic string
187 */
188 ctx.update(prefix.getBytes(Charsets.UTF_8));
189
190 /*
191 * Then the raw salt
192 */
193 ctx.update(saltBytes);
194
195 /*
196 * Then just as many characters of the MD5(pw,salt,pw)
197 */
198 MessageDigest ctx1 = DigestUtils.getMd5Digest();
199 ctx1.update(keyBytes);
200 ctx1.update(saltBytes);
201 ctx1.update(keyBytes);
202 byte[] finalb = ctx1.digest();
203 int ii = keyLen;
204 while (ii > 0) {
205 ctx.update(finalb, 0, ii > 16 ? 16 : ii);
206 ii -= 16;
207 }
208
209 /*
210 * Don't leave anything around in vm they could use.
211 */
212 Arrays.fill(finalb, (byte) 0);
213
214 /*
215 * Then something really weird...
216 */
217 ii = keyLen;
218 int j = 0;
219 while (ii > 0) {
220 if ((ii & 1) == 1) {
221 ctx.update(finalb[j]);
222 } else {
223 ctx.update(keyBytes[j]);
224 }
225 ii >>= 1;
226 }
227
228 /*
229 * Now make the output string
230 */
231 StringBuilder passwd = new StringBuilder(prefix + saltString + "$");
232 finalb = ctx.digest();
233
234 /*
235 * and now, just to make sure things don't run too fast On a 60 Mhz Pentium this takes 34 msec, so you would
236 * need 30 seconds to build a 1000 entry dictionary...
237 */
238 for (int i = 0; i < ROUNDS; i++) {
239 ctx1 = DigestUtils.getMd5Digest();
240 if ((i & 1) != 0) {
241 ctx1.update(keyBytes);
242 } else {
243 ctx1.update(finalb, 0, BLOCKSIZE);
244 }
245
246 if (i % 3 != 0) {
247 ctx1.update(saltBytes);
248 }
249
250 if (i % 7 != 0) {
251 ctx1.update(keyBytes);
252 }
253
254 if ((i & 1) != 0) {
255 ctx1.update(finalb, 0, BLOCKSIZE);
256 } else {
257 ctx1.update(keyBytes);
258 }
259 finalb = ctx1.digest();
260 }
261
262 // The following was nearly identical to the Sha2Crypt code.
263 // Again, the buflen is not really needed.
264 // int buflen = MD5_PREFIX.length() - 1 + salt_string.length() + 1 + BLOCKSIZE + 1;
265 B64.b64from24bit(finalb[0], finalb[6], finalb[12], 4, passwd);
266 B64.b64from24bit(finalb[1], finalb[7], finalb[13], 4, passwd);
267 B64.b64from24bit(finalb[2], finalb[8], finalb[14], 4, passwd);
268 B64.b64from24bit(finalb[3], finalb[9], finalb[15], 4, passwd);
269 B64.b64from24bit(finalb[4], finalb[10], finalb[5], 4, passwd);
270 B64.b64from24bit((byte) 0, (byte) 0, finalb[11], 2, passwd);
271
272 /*
273 * Don't leave anything around in vm they could use.
274 */
275 // Is there a better way to do this with the JVM?
276 ctx.reset();
277 ctx1.reset();
278 Arrays.fill(keyBytes, (byte) 0);
279 Arrays.fill(saltBytes, (byte) 0);
280 Arrays.fill(finalb, (byte) 0);
281
282 return passwd.toString();
283 }
284 }