View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements.  See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache License, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License.  You may obtain a copy of the License at
8    *
9    *      http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  package org.apache.commons.codec.digest;
18  
19  import java.security.MessageDigest;
20  import java.util.Arrays;
21  import java.util.regex.Matcher;
22  import java.util.regex.Pattern;
23  
24  import org.apache.commons.codec.Charsets;
25  
26  /**
27   * The libc crypt() "$1$" and Apache "$apr1$" MD5-based hash algorithm.
28   * <p>
29   * Based on the public domain ("beer-ware") C implementation from Poul-Henning Kamp which was found at: <a
30   * href="http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libcrypt/crypt-md5.c?rev=1.1;content-type=text%2Fplain">
31   * crypt-md5.c @ freebsd.org</a><br>
32   * <p>
33   * Source:
34   *
35   * <pre>
36   * $FreeBSD: src/lib/libcrypt/crypt-md5.c,v 1.1 1999/01/21 13:50:09 brandon Exp $
37   * </pre>
38   * <p>
39   * Conversion to Kotlin and from there to Java in 2012.
40   * <p>
41   * The C style comments are from the original C code, the ones with "//" from the port.
42   * <p>
43   * This class is immutable and thread-safe.
44   *
45   * @version $Id: Md5Crypt.java 1563226 2014-01-31 19:38:06Z ggregory $
46   * @since 1.7
47   */
48  public class Md5Crypt {
49  
50      /** The Identifier of the Apache variant. */
51      static final String APR1_PREFIX = "$apr1$";
52  
53      /** The number of bytes of the final hash. */
54      private static final int BLOCKSIZE = 16;
55  
56      /** The Identifier of this crypt() variant. */
57      static final String MD5_PREFIX = "$1$";
58  
59      /** The number of rounds of the big loop. */
60      private static final int ROUNDS = 1000;
61  
62      /**
63       * See {@link #apr1Crypt(String, String)} for details.
64       *
65       * @param keyBytes
66       *            plaintext string to hash.
67       * @return the hash value
68       * @throws RuntimeException
69       *             when a {@link java.security.NoSuchAlgorithmException} is caught. *
70       */
71      public static String apr1Crypt(final byte[] keyBytes) {
72          return apr1Crypt(keyBytes, APR1_PREFIX + B64.getRandomSalt(8));
73      }
74  
75      /**
76       * See {@link #apr1Crypt(String, String)} for details.
77       *
78       * @param keyBytes
79       *            plaintext string to hash.
80       * @param salt An APR1 salt.
81       * @return the hash value
82       * @throws IllegalArgumentException
83       *             if the salt does not match the allowed pattern
84       * @throws RuntimeException
85       *             when a {@link java.security.NoSuchAlgorithmException} is caught.
86       */
87      public static String apr1Crypt(final byte[] keyBytes, String salt) {
88          // to make the md5Crypt regex happy
89          if (salt != null && !salt.startsWith(APR1_PREFIX)) {
90              salt = APR1_PREFIX + salt;
91          }
92          return Md5Crypt.md5Crypt(keyBytes, salt, APR1_PREFIX);
93      }
94  
95      /**
96       * See {@link #apr1Crypt(String, String)} for details.
97       *
98       * @param keyBytes
99       *            plaintext string to hash.
100      * @return the hash value
101      * @throws RuntimeException
102      *             when a {@link java.security.NoSuchAlgorithmException} is caught.
103      */
104     public static String apr1Crypt(final String keyBytes) {
105         return apr1Crypt(keyBytes.getBytes(Charsets.UTF_8));
106     }
107 
108     /**
109      * Generates an Apache htpasswd compatible "$apr1$" MD5 based hash value.
110      * <p>
111      * The algorithm is identical to the crypt(3) "$1$" one but produces different outputs due to the different salt
112      * prefix.
113      *
114      * @param keyBytes
115      *            plaintext string to hash.
116      * @param salt
117      *            salt string including the prefix and optionally garbage at the end. Will be generated randomly if
118      *            null.
119      * @return the hash value
120      * @throws IllegalArgumentException
121      *             if the salt does not match the allowed pattern
122      * @throws RuntimeException
123      *             when a {@link java.security.NoSuchAlgorithmException} is caught.
124      */
125     public static String apr1Crypt(final String keyBytes, final String salt) {
126         return apr1Crypt(keyBytes.getBytes(Charsets.UTF_8), salt);
127     }
128 
129     /**
130      * Generates a libc6 crypt() compatible "$1$" hash value.
131      * <p>
132      * See {@link Crypt#crypt(String, String)} for details.
133      *
134      * @param keyBytes
135      *            plaintext string to hash.
136      * @return the hash value
137      * @throws RuntimeException
138      *             when a {@link java.security.NoSuchAlgorithmException} is caught.
139      */
140     public static String md5Crypt(final byte[] keyBytes) {
141         return md5Crypt(keyBytes, MD5_PREFIX + B64.getRandomSalt(8));
142     }
143 
144     /**
145      * Generates a libc crypt() compatible "$1$" MD5 based hash value.
146      * <p>
147      * See {@link Crypt#crypt(String, String)} for details.
148      *
149      * @param keyBytes
150      *            plaintext string to hash.
151      * @param salt
152      *            salt string including the prefix and optionally garbage at the end. Will be generated randomly if
153      *            null.
154      * @return the hash value
155      * @throws IllegalArgumentException
156      *             if the salt does not match the allowed pattern
157      * @throws RuntimeException
158      *             when a {@link java.security.NoSuchAlgorithmException} is caught.
159      */
160     public static String md5Crypt(final byte[] keyBytes, final String salt) {
161         return md5Crypt(keyBytes, salt, MD5_PREFIX);
162     }
163 
164     /**
165      * Generates a libc6 crypt() "$1$" or Apache htpasswd "$apr1$" hash value.
166      * <p>
167      * See {@link Crypt#crypt(String, String)} or {@link #apr1Crypt(String, String)} for details.
168      *
169      * @param keyBytes
170      *            plaintext string to hash.
171      * @param salt May be null.
172      * @param prefix salt prefix
173      * @return the hash value
174      * @throws IllegalArgumentException
175      *             if the salt does not match the allowed pattern
176      * @throws RuntimeException
177      *             when a {@link java.security.NoSuchAlgorithmException} is caught.
178      */
179     public static String md5Crypt(final byte[] keyBytes, final String salt, final String prefix) {
180         final int keyLen = keyBytes.length;
181 
182         // Extract the real salt from the given string which can be a complete hash string.
183         String saltString;
184         if (salt == null) {
185             saltString = B64.getRandomSalt(8);
186         } else {
187             final Pattern p = Pattern.compile("^" + prefix.replace("$", "\\$") + "([\\.\\/a-zA-Z0-9]{1,8}).*");
188             final Matcher m = p.matcher(salt);
189             if (m == null || !m.find()) {
190                 throw new IllegalArgumentException("Invalid salt value: " + salt);
191             }
192             saltString = m.group(1);
193         }
194         final byte[] saltBytes = saltString.getBytes(Charsets.UTF_8);
195 
196         final MessageDigest ctx = DigestUtils.getMd5Digest();
197 
198         /*
199          * The password first, since that is what is most unknown
200          */
201         ctx.update(keyBytes);
202 
203         /*
204          * Then our magic string
205          */
206         ctx.update(prefix.getBytes(Charsets.UTF_8));
207 
208         /*
209          * Then the raw salt
210          */
211         ctx.update(saltBytes);
212 
213         /*
214          * Then just as many characters of the MD5(pw,salt,pw)
215          */
216         MessageDigest ctx1 = DigestUtils.getMd5Digest();
217         ctx1.update(keyBytes);
218         ctx1.update(saltBytes);
219         ctx1.update(keyBytes);
220         byte[] finalb = ctx1.digest();
221         int ii = keyLen;
222         while (ii > 0) {
223             ctx.update(finalb, 0, ii > 16 ? 16 : ii);
224             ii -= 16;
225         }
226 
227         /*
228          * Don't leave anything around in vm they could use.
229          */
230         Arrays.fill(finalb, (byte) 0);
231 
232         /*
233          * Then something really weird...
234          */
235         ii = keyLen;
236         final int j = 0;
237         while (ii > 0) {
238             if ((ii & 1) == 1) {
239                 ctx.update(finalb[j]);
240             } else {
241                 ctx.update(keyBytes[j]);
242             }
243             ii >>= 1;
244         }
245 
246         /*
247          * Now make the output string
248          */
249         final StringBuilder passwd = new StringBuilder(prefix + saltString + "$");
250         finalb = ctx.digest();
251 
252         /*
253          * and now, just to make sure things don't run too fast On a 60 Mhz Pentium this takes 34 msec, so you would
254          * need 30 seconds to build a 1000 entry dictionary...
255          */
256         for (int i = 0; i < ROUNDS; i++) {
257             ctx1 = DigestUtils.getMd5Digest();
258             if ((i & 1) != 0) {
259                 ctx1.update(keyBytes);
260             } else {
261                 ctx1.update(finalb, 0, BLOCKSIZE);
262             }
263 
264             if (i % 3 != 0) {
265                 ctx1.update(saltBytes);
266             }
267 
268             if (i % 7 != 0) {
269                 ctx1.update(keyBytes);
270             }
271 
272             if ((i & 1) != 0) {
273                 ctx1.update(finalb, 0, BLOCKSIZE);
274             } else {
275                 ctx1.update(keyBytes);
276             }
277             finalb = ctx1.digest();
278         }
279 
280         // The following was nearly identical to the Sha2Crypt code.
281         // Again, the buflen is not really needed.
282         // int buflen = MD5_PREFIX.length() - 1 + salt_string.length() + 1 + BLOCKSIZE + 1;
283         B64.b64from24bit(finalb[0], finalb[6], finalb[12], 4, passwd);
284         B64.b64from24bit(finalb[1], finalb[7], finalb[13], 4, passwd);
285         B64.b64from24bit(finalb[2], finalb[8], finalb[14], 4, passwd);
286         B64.b64from24bit(finalb[3], finalb[9], finalb[15], 4, passwd);
287         B64.b64from24bit(finalb[4], finalb[10], finalb[5], 4, passwd);
288         B64.b64from24bit((byte) 0, (byte) 0, finalb[11], 2, passwd);
289 
290         /*
291          * Don't leave anything around in vm they could use.
292          */
293         // Is there a better way to do this with the JVM?
294         ctx.reset();
295         ctx1.reset();
296         Arrays.fill(keyBytes, (byte) 0);
297         Arrays.fill(saltBytes, (byte) 0);
298         Arrays.fill(finalb, (byte) 0);
299 
300         return passwd.toString();
301     }
302 }