001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.commons.codec.digest; 018 019import java.security.MessageDigest; 020import java.security.NoSuchAlgorithmException; 021import java.security.SecureRandom; 022import java.util.Arrays; 023import java.util.Random; 024import java.util.concurrent.ThreadLocalRandom; 025import java.util.regex.Matcher; 026import java.util.regex.Pattern; 027 028import org.apache.commons.codec.Charsets; 029 030/** 031 * SHA2-based Unix crypt implementation. 032 * <p> 033 * Based on the C implementation released into the Public Domain by Ulrich Drepper <drepper@redhat.com> 034 * http://www.akkadia.org/drepper/SHA-crypt.txt 035 * <p> 036 * Conversion to Kotlin and from there to Java in 2012 by Christian Hammers <ch@lathspell.de> and likewise put 037 * into the Public Domain. 038 * <p> 039 * This class is immutable and thread-safe. 040 * 041 * @since 1.7 042 */ 043public class Sha2Crypt { 044 045 /** Default number of rounds if not explicitly specified. */ 046 private static final int ROUNDS_DEFAULT = 5000; 047 048 /** Maximum number of rounds. */ 049 private static final int ROUNDS_MAX = 999999999; 050 051 /** Minimum number of rounds. */ 052 private static final int ROUNDS_MIN = 1000; 053 054 /** Prefix for optional rounds specification. */ 055 private static final String ROUNDS_PREFIX = "rounds="; 056 057 /** The number of bytes the final hash value will have (SHA-256 variant). */ 058 private static final int SHA256_BLOCKSIZE = 32; 059 060 /** The prefixes that can be used to identify this crypt() variant (SHA-256). */ 061 static final String SHA256_PREFIX = "$5$"; 062 063 /** The number of bytes the final hash value will have (SHA-512 variant). */ 064 private static final int SHA512_BLOCKSIZE = 64; 065 066 /** The prefixes that can be used to identify this crypt() variant (SHA-512). */ 067 static final String SHA512_PREFIX = "$6$"; 068 069 /** The pattern to match valid salt values. */ 070 private static final Pattern SALT_PATTERN = Pattern 071 .compile("^\\$([56])\\$(rounds=(\\d+)\\$)?([\\.\\/a-zA-Z0-9]{1,16}).*"); 072 073 /** 074 * Generates a libc crypt() compatible "$5$" hash value with random salt. 075 * <p> 076 * See {@link Crypt#crypt(String, String)} for details. 077 * </p> 078 * <p> 079 * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using 080 * {@link SecureRandom} to generate your own salts and calling {@link #sha256Crypt(byte[], String)}. 081 * </p> 082 * 083 * @param keyBytes 084 * plaintext to hash 085 * @return complete hash value 086 * @throws IllegalArgumentException 087 * when a {@link java.security.NoSuchAlgorithmException} is caught. 088 */ 089 public static String sha256Crypt(final byte[] keyBytes) { 090 return sha256Crypt(keyBytes, null); 091 } 092 093 /** 094 * Generates a libc6 crypt() compatible "$5$" hash value. 095 * <p> 096 * See {@link Crypt#crypt(String, String)} for details. 097 * </p> 098 * @param keyBytes 099 * plaintext to hash 100 * @param salt 101 * real salt value without prefix or "rounds=". The salt may be null, in which case a salt 102 * is generated for you using {@link SecureRandom}. If one does not want to use {@link SecureRandom}, 103 * you can pass your own {@link Random} in {@link #sha256Crypt(byte[], String, Random)}. 104 * @return complete hash value including salt 105 * @throws IllegalArgumentException 106 * if the salt does not match the allowed pattern 107 * @throws IllegalArgumentException 108 * when a {@link java.security.NoSuchAlgorithmException} is caught. 109 */ 110 public static String sha256Crypt(final byte[] keyBytes, String salt) { 111 if (salt == null) { 112 salt = SHA256_PREFIX + B64.getRandomSalt(8); 113 } 114 return sha2Crypt(keyBytes, salt, SHA256_PREFIX, SHA256_BLOCKSIZE, MessageDigestAlgorithms.SHA_256); 115 } 116 117 /** 118 * Generates a libc6 crypt() compatible "$5$" hash value. 119 * <p> 120 * See {@link Crypt#crypt(String, String)} for details. 121 * </p> 122 * @param keyBytes 123 * plaintext to hash 124 * @param salt 125 * real salt value without prefix or "rounds=". 126 * @param random 127 * the instance of {@link Random} to use for generating the salt. Consider using {@link SecureRandom} 128 * or {@link ThreadLocalRandom}. 129 * @return complete hash value including salt 130 * @throws IllegalArgumentException 131 * if the salt does not match the allowed pattern 132 * @throws IllegalArgumentException 133 * when a {@link java.security.NoSuchAlgorithmException} is caught. 134 * @since 1.12 135 */ 136 public static String sha256Crypt(final byte[] keyBytes, String salt, final Random random) { 137 if (salt == null) { 138 salt = SHA256_PREFIX + B64.getRandomSalt(8, random); 139 } 140 return sha2Crypt(keyBytes, salt, SHA256_PREFIX, SHA256_BLOCKSIZE, MessageDigestAlgorithms.SHA_256); 141 } 142 143 /** 144 * Generates a libc6 crypt() compatible "$5$" or "$6$" SHA2 based hash value. 145 * <p> 146 * This is a nearly line by line conversion of the original C function. The numbered comments are from the algorithm 147 * description, the short C-style ones from the original C code and the ones with "Remark" from me. 148 * <p> 149 * See {@link Crypt#crypt(String, String)} for details. 150 * 151 * @param keyBytes 152 * plaintext to hash 153 * @param salt 154 * real salt value without prefix or "rounds="; may not be null 155 * @param saltPrefix 156 * either $5$ or $6$ 157 * @param blocksize 158 * a value that differs between $5$ and $6$ 159 * @param algorithm 160 * {@link MessageDigest} algorithm identifier string 161 * @return complete hash value including prefix and salt 162 * @throws IllegalArgumentException 163 * if the given salt is <code>null</code> or does not match the allowed pattern 164 * @throws IllegalArgumentException 165 * when a {@link NoSuchAlgorithmException} is caught 166 * @see MessageDigestAlgorithms 167 */ 168 private static String sha2Crypt(final byte[] keyBytes, final String salt, final String saltPrefix, 169 final int blocksize, final String algorithm) { 170 171 final int keyLen = keyBytes.length; 172 173 // Extracts effective salt and the number of rounds from the given salt. 174 int rounds = ROUNDS_DEFAULT; 175 boolean roundsCustom = false; 176 if (salt == null) { 177 throw new IllegalArgumentException("Salt must not be null"); 178 } 179 180 final Matcher m = SALT_PATTERN.matcher(salt); 181 if (!m.find()) { 182 throw new IllegalArgumentException("Invalid salt value: " + salt); 183 } 184 if (m.group(3) != null) { 185 rounds = Integer.parseInt(m.group(3)); 186 rounds = Math.max(ROUNDS_MIN, Math.min(ROUNDS_MAX, rounds)); 187 roundsCustom = true; 188 } 189 final String saltString = m.group(4); 190 final byte[] saltBytes = saltString.getBytes(Charsets.UTF_8); 191 final int saltLen = saltBytes.length; 192 193 // 1. start digest A 194 // Prepare for the real work. 195 MessageDigest ctx = DigestUtils.getDigest(algorithm); 196 197 // 2. the password string is added to digest A 198 /* 199 * Add the key string. 200 */ 201 ctx.update(keyBytes); 202 203 // 3. the salt string is added to digest A. This is just the salt string 204 // itself without the enclosing '$', without the magic salt_prefix $5$ and 205 // $6$ respectively and without the rounds=<N> specification. 206 // 207 // NB: the MD5 algorithm did add the $1$ salt_prefix. This is not deemed 208 // necessary since it is a constant string and does not add security 209 // and /possibly/ allows a plain text attack. Since the rounds=<N> 210 // specification should never be added this would also create an 211 // inconsistency. 212 /* 213 * The last part is the salt string. This must be at most 16 characters and it ends at the first `$' character 214 * (for compatibility with existing implementations). 215 */ 216 ctx.update(saltBytes); 217 218 // 4. start digest B 219 /* 220 * Compute alternate sha512 sum with input KEY, SALT, and KEY. The final result will be added to the first 221 * context. 222 */ 223 MessageDigest altCtx = DigestUtils.getDigest(algorithm); 224 225 // 5. add the password to digest B 226 /* 227 * Add key. 228 */ 229 altCtx.update(keyBytes); 230 231 // 6. add the salt string to digest B 232 /* 233 * Add salt. 234 */ 235 altCtx.update(saltBytes); 236 237 // 7. add the password again to digest B 238 /* 239 * Add key again. 240 */ 241 altCtx.update(keyBytes); 242 243 // 8. finish digest B 244 /* 245 * Now get result of this (32 bytes) and add it to the other context. 246 */ 247 byte[] altResult = altCtx.digest(); 248 249 // 9. For each block of 32 or 64 bytes in the password string (excluding 250 // the terminating NUL in the C representation), add digest B to digest A 251 /* 252 * Add for any character in the key one byte of the alternate sum. 253 */ 254 /* 255 * (Remark: the C code comment seems wrong for key length > 32!) 256 */ 257 int cnt = keyBytes.length; 258 while (cnt > blocksize) { 259 ctx.update(altResult, 0, blocksize); 260 cnt -= blocksize; 261 } 262 263 // 10. For the remaining N bytes of the password string add the first 264 // N bytes of digest B to digest A 265 ctx.update(altResult, 0, cnt); 266 267 // 11. For each bit of the binary representation of the length of the 268 // password string up to and including the highest 1-digit, starting 269 // from to lowest bit position (numeric value 1): 270 // 271 // a) for a 1-digit add digest B to digest A 272 // 273 // b) for a 0-digit add the password string 274 // 275 // NB: this step differs significantly from the MD5 algorithm. It 276 // adds more randomness. 277 /* 278 * Take the binary representation of the length of the key and for every 1 add the alternate sum, for every 0 279 * the key. 280 */ 281 cnt = keyBytes.length; 282 while (cnt > 0) { 283 if ((cnt & 1) != 0) { 284 ctx.update(altResult, 0, blocksize); 285 } else { 286 ctx.update(keyBytes); 287 } 288 cnt >>= 1; 289 } 290 291 // 12. finish digest A 292 /* 293 * Create intermediate result. 294 */ 295 altResult = ctx.digest(); 296 297 // 13. start digest DP 298 /* 299 * Start computation of P byte sequence. 300 */ 301 altCtx = DigestUtils.getDigest(algorithm); 302 303 // 14. for every byte in the password (excluding the terminating NUL byte 304 // in the C representation of the string) 305 // 306 // add the password to digest DP 307 /* 308 * For every character in the password add the entire password. 309 */ 310 for (int i = 1; i <= keyLen; i++) { 311 altCtx.update(keyBytes); 312 } 313 314 // 15. finish digest DP 315 /* 316 * Finish the digest. 317 */ 318 byte[] tempResult = altCtx.digest(); 319 320 // 16. produce byte sequence P of the same length as the password where 321 // 322 // a) for each block of 32 or 64 bytes of length of the password string 323 // the entire digest DP is used 324 // 325 // b) for the remaining N (up to 31 or 63) bytes use the first N 326 // bytes of digest DP 327 /* 328 * Create byte sequence P. 329 */ 330 final byte[] pBytes = new byte[keyLen]; 331 int cp = 0; 332 while (cp < keyLen - blocksize) { 333 System.arraycopy(tempResult, 0, pBytes, cp, blocksize); 334 cp += blocksize; 335 } 336 System.arraycopy(tempResult, 0, pBytes, cp, keyLen - cp); 337 338 // 17. start digest DS 339 /* 340 * Start computation of S byte sequence. 341 */ 342 altCtx = DigestUtils.getDigest(algorithm); 343 344 // 18. repeast the following 16+A[0] times, where A[0] represents the first 345 // byte in digest A interpreted as an 8-bit unsigned value 346 // 347 // add the salt to digest DS 348 /* 349 * For every character in the password add the entire password. 350 */ 351 for (int i = 1; i <= 16 + (altResult[0] & 0xff); i++) { 352 altCtx.update(saltBytes); 353 } 354 355 // 19. finish digest DS 356 /* 357 * Finish the digest. 358 */ 359 tempResult = altCtx.digest(); 360 361 // 20. produce byte sequence S of the same length as the salt string where 362 // 363 // a) for each block of 32 or 64 bytes of length of the salt string 364 // the entire digest DS is used 365 // 366 // b) for the remaining N (up to 31 or 63) bytes use the first N 367 // bytes of digest DS 368 /* 369 * Create byte sequence S. 370 */ 371 // Remark: The salt is limited to 16 chars, how does this make sense? 372 final byte[] sBytes = new byte[saltLen]; 373 cp = 0; 374 while (cp < saltLen - blocksize) { 375 System.arraycopy(tempResult, 0, sBytes, cp, blocksize); 376 cp += blocksize; 377 } 378 System.arraycopy(tempResult, 0, sBytes, cp, saltLen - cp); 379 380 // 21. repeat a loop according to the number specified in the rounds=<N> 381 // specification in the salt (or the default value if none is 382 // present). Each round is numbered, starting with 0 and up to N-1. 383 // 384 // The loop uses a digest as input. In the first round it is the 385 // digest produced in step 12. In the latter steps it is the digest 386 // produced in step 21.h. The following text uses the notation 387 // "digest A/C" to describe this behavior. 388 /* 389 * Repeatedly run the collected hash value through sha512 to burn CPU cycles. 390 */ 391 for (int i = 0; i <= rounds - 1; i++) { 392 // a) start digest C 393 /* 394 * New context. 395 */ 396 ctx = DigestUtils.getDigest(algorithm); 397 398 // b) for odd round numbers add the byte sequense P to digest C 399 // c) for even round numbers add digest A/C 400 /* 401 * Add key or last result. 402 */ 403 if ((i & 1) != 0) { 404 ctx.update(pBytes, 0, keyLen); 405 } else { 406 ctx.update(altResult, 0, blocksize); 407 } 408 409 // d) for all round numbers not divisible by 3 add the byte sequence S 410 /* 411 * Add salt for numbers not divisible by 3. 412 */ 413 if (i % 3 != 0) { 414 ctx.update(sBytes, 0, saltLen); 415 } 416 417 // e) for all round numbers not divisible by 7 add the byte sequence P 418 /* 419 * Add key for numbers not divisible by 7. 420 */ 421 if (i % 7 != 0) { 422 ctx.update(pBytes, 0, keyLen); 423 } 424 425 // f) for odd round numbers add digest A/C 426 // g) for even round numbers add the byte sequence P 427 /* 428 * Add key or last result. 429 */ 430 if ((i & 1) != 0) { 431 ctx.update(altResult, 0, blocksize); 432 } else { 433 ctx.update(pBytes, 0, keyLen); 434 } 435 436 // h) finish digest C. 437 /* 438 * Create intermediate result. 439 */ 440 altResult = ctx.digest(); 441 } 442 443 // 22. Produce the output string. This is an ASCII string of the maximum 444 // size specified above, consisting of multiple pieces: 445 // 446 // a) the salt salt_prefix, $5$ or $6$ respectively 447 // 448 // b) the rounds=<N> specification, if one was present in the input 449 // salt string. A trailing '$' is added in this case to separate 450 // the rounds specification from the following text. 451 // 452 // c) the salt string truncated to 16 characters 453 // 454 // d) a '$' character 455 /* 456 * Now we can construct the result string. It consists of three parts. 457 */ 458 final StringBuilder buffer = new StringBuilder(saltPrefix); 459 if (roundsCustom) { 460 buffer.append(ROUNDS_PREFIX); 461 buffer.append(rounds); 462 buffer.append("$"); 463 } 464 buffer.append(saltString); 465 buffer.append("$"); 466 467 // e) the base-64 encoded final C digest. The encoding used is as 468 // follows: 469 // [...] 470 // 471 // Each group of three bytes from the digest produces four 472 // characters as output: 473 // 474 // 1. character: the six low bits of the first byte 475 // 2. character: the two high bits of the first byte and the 476 // four low bytes from the second byte 477 // 3. character: the four high bytes from the second byte and 478 // the two low bits from the third byte 479 // 4. character: the six high bits from the third byte 480 // 481 // The groups of three bytes are as follows (in this sequence). 482 // These are the indices into the byte array containing the 483 // digest, starting with index 0. For the last group there are 484 // not enough bytes left in the digest and the value zero is used 485 // in its place. This group also produces only three or two 486 // characters as output for SHA-512 and SHA-512 respectively. 487 488 // This was just a safeguard in the C implementation: 489 // int buflen = salt_prefix.length() - 1 + ROUNDS_PREFIX.length() + 9 + 1 + salt_string.length() + 1 + 86 + 1; 490 491 if (blocksize == 32) { 492 B64.b64from24bit(altResult[0], altResult[10], altResult[20], 4, buffer); 493 B64.b64from24bit(altResult[21], altResult[1], altResult[11], 4, buffer); 494 B64.b64from24bit(altResult[12], altResult[22], altResult[2], 4, buffer); 495 B64.b64from24bit(altResult[3], altResult[13], altResult[23], 4, buffer); 496 B64.b64from24bit(altResult[24], altResult[4], altResult[14], 4, buffer); 497 B64.b64from24bit(altResult[15], altResult[25], altResult[5], 4, buffer); 498 B64.b64from24bit(altResult[6], altResult[16], altResult[26], 4, buffer); 499 B64.b64from24bit(altResult[27], altResult[7], altResult[17], 4, buffer); 500 B64.b64from24bit(altResult[18], altResult[28], altResult[8], 4, buffer); 501 B64.b64from24bit(altResult[9], altResult[19], altResult[29], 4, buffer); 502 B64.b64from24bit((byte) 0, altResult[31], altResult[30], 3, buffer); 503 } else { 504 B64.b64from24bit(altResult[0], altResult[21], altResult[42], 4, buffer); 505 B64.b64from24bit(altResult[22], altResult[43], altResult[1], 4, buffer); 506 B64.b64from24bit(altResult[44], altResult[2], altResult[23], 4, buffer); 507 B64.b64from24bit(altResult[3], altResult[24], altResult[45], 4, buffer); 508 B64.b64from24bit(altResult[25], altResult[46], altResult[4], 4, buffer); 509 B64.b64from24bit(altResult[47], altResult[5], altResult[26], 4, buffer); 510 B64.b64from24bit(altResult[6], altResult[27], altResult[48], 4, buffer); 511 B64.b64from24bit(altResult[28], altResult[49], altResult[7], 4, buffer); 512 B64.b64from24bit(altResult[50], altResult[8], altResult[29], 4, buffer); 513 B64.b64from24bit(altResult[9], altResult[30], altResult[51], 4, buffer); 514 B64.b64from24bit(altResult[31], altResult[52], altResult[10], 4, buffer); 515 B64.b64from24bit(altResult[53], altResult[11], altResult[32], 4, buffer); 516 B64.b64from24bit(altResult[12], altResult[33], altResult[54], 4, buffer); 517 B64.b64from24bit(altResult[34], altResult[55], altResult[13], 4, buffer); 518 B64.b64from24bit(altResult[56], altResult[14], altResult[35], 4, buffer); 519 B64.b64from24bit(altResult[15], altResult[36], altResult[57], 4, buffer); 520 B64.b64from24bit(altResult[37], altResult[58], altResult[16], 4, buffer); 521 B64.b64from24bit(altResult[59], altResult[17], altResult[38], 4, buffer); 522 B64.b64from24bit(altResult[18], altResult[39], altResult[60], 4, buffer); 523 B64.b64from24bit(altResult[40], altResult[61], altResult[19], 4, buffer); 524 B64.b64from24bit(altResult[62], altResult[20], altResult[41], 4, buffer); 525 B64.b64from24bit((byte) 0, (byte) 0, altResult[63], 2, buffer); 526 } 527 528 /* 529 * Clear the buffer for the intermediate result so that people attaching to processes or reading core dumps 530 * cannot get any information. 531 */ 532 // Is there a better way to do this with the JVM? 533 Arrays.fill(tempResult, (byte) 0); 534 Arrays.fill(pBytes, (byte) 0); 535 Arrays.fill(sBytes, (byte) 0); 536 ctx.reset(); 537 altCtx.reset(); 538 Arrays.fill(keyBytes, (byte) 0); 539 Arrays.fill(saltBytes, (byte) 0); 540 541 return buffer.toString(); 542 } 543 544 /** 545 * Generates a libc crypt() compatible "$6$" hash value with random salt. 546 * <p> 547 * See {@link Crypt#crypt(String, String)} for details. 548 * </p> 549 * <p> 550 * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using 551 * {@link SecureRandom} to generate your own salts and calling {@link #sha512Crypt(byte[], String)}. 552 * </p> 553 * 554 * @param keyBytes 555 * plaintext to hash 556 * @return complete hash value 557 * @throws IllegalArgumentException 558 * when a {@link java.security.NoSuchAlgorithmException} is caught. 559 */ 560 public static String sha512Crypt(final byte[] keyBytes) { 561 return sha512Crypt(keyBytes, null); 562 } 563 564 /** 565 * Generates a libc6 crypt() compatible "$6$" hash value. 566 * <p> 567 * See {@link Crypt#crypt(String, String)} for details. 568 * </p> 569 * @param keyBytes 570 * plaintext to hash 571 * @param salt 572 * real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated 573 * for you using {@link SecureRandom}; if you want to use a {@link Random} object other than 574 * {@link SecureRandom} then we suggest you provide it using 575 * {@link #sha512Crypt(byte[], String, Random)}. 576 * @return complete hash value including salt 577 * @throws IllegalArgumentException 578 * if the salt does not match the allowed pattern 579 * @throws IllegalArgumentException 580 * when a {@link java.security.NoSuchAlgorithmException} is caught. 581 */ 582 public static String sha512Crypt(final byte[] keyBytes, String salt) { 583 if (salt == null) { 584 salt = SHA512_PREFIX + B64.getRandomSalt(8); 585 } 586 return sha2Crypt(keyBytes, salt, SHA512_PREFIX, SHA512_BLOCKSIZE, MessageDigestAlgorithms.SHA_512); 587 } 588 589 590 591 /** 592 * Generates a libc6 crypt() compatible "$6$" hash value. 593 * <p> 594 * See {@link Crypt#crypt(String, String)} for details. 595 * </p> 596 * @param keyBytes 597 * plaintext to hash 598 * @param salt 599 * real salt value without prefix or "rounds=". The salt may be null, in which case a salt 600 * is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using 601 * {@link SecureRandom} to generate your own salts. 602 * @param random 603 * the instance of {@link Random} to use for generating the salt. Consider using {@link SecureRandom} 604 * or {@link ThreadLocalRandom}. 605 * @return complete hash value including salt 606 * @throws IllegalArgumentException 607 * if the salt does not match the allowed pattern 608 * @throws IllegalArgumentException 609 * when a {@link java.security.NoSuchAlgorithmException} is caught. 610 * @since 1.12 611 */ 612 public static String sha512Crypt(final byte[] keyBytes, String salt, final Random random) { 613 if (salt == null) { 614 salt = SHA512_PREFIX + B64.getRandomSalt(8, random); 615 } 616 return sha2Crypt(keyBytes, salt, SHA512_PREFIX, SHA512_BLOCKSIZE, MessageDigestAlgorithms.SHA_512); 617 } 618}