aaa-password-service/impl/src/main/java/org/opendaylight/aaa/impl/password/service/DefaultPasswordHashService.java

   1 /*
   2  * Copyright © 2018 Inocybe Technologies and others.  All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8 package org.opendaylight.aaa.impl.password.service;
   9
  10 import org.apache.shiro.codec.Base64;
  11 import org.apache.shiro.crypto.hash.DefaultHashService;
  12 import org.apache.shiro.crypto.hash.HashRequest;
  13 import org.apache.shiro.crypto.hash.SimpleHashRequest;
  14 import org.apache.shiro.util.ByteSource;
  15 import org.opendaylight.aaa.api.password.service.PasswordHash;
  16 import org.opendaylight.aaa.api.password.service.PasswordHashService;
  17 import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.password.service.config.rev170619.PasswordServiceConfig;
  18 import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.password.service.config.rev170619.PasswordServiceConfigBuilder;
  19 import org.slf4j.Logger;
  20 import org.slf4j.LoggerFactory;
  21
  22 public class DefaultPasswordHashService implements PasswordHashService {
  23     private static final Logger LOG = LoggerFactory.getLogger(DefaultPasswordHashService.class);
  24
  25     public static final String DEFAULT_HASH_ALGORITHM = "SHA-512";
  26     public static final int DEFAULT_NUM_ITERATIONS = 20000;
  27
  28     private final DefaultHashService hashService;
  29
  30     public DefaultPasswordHashService() {
  31         this(new PasswordServiceConfigBuilder().build());
  32     }
  33
  34     public DefaultPasswordHashService(final PasswordServiceConfig passwordServiceConfig) {
  35         hashService = createHashService(passwordServiceConfig.getIterations(), passwordServiceConfig.getAlgorithm(),
  36             passwordServiceConfig.getPrivateSalt());
  37     }
  38
  39     @Override
  40     public PasswordHash getPasswordHash(final String password) {
  41         final var hash =  hashService.computeHash(new HashRequest.Builder()
  42             .setAlgorithmName(hashService.getHashAlgorithmName())
  43             .setIterations(hashService.getHashIterations())
  44             .setSource(ByteSource.Util.bytes(password))
  45             .build());
  46         return PasswordHashImpl.create(
  47             hash.getAlgorithmName(),
  48             hash.getSalt().toBase64(),
  49             hash.getIterations(),
  50             hash.toBase64());
  51     }
  52
  53     @Override
  54     public PasswordHash getPasswordHash(final String password, final String salt) {
  55         final var hash = hashService.computeHash(new SimpleHashRequest(
  56             hashService.getHashAlgorithmName(),
  57             ByteSource.Util.bytes(password),
  58             ByteSource.Util.bytes(Base64.decode(salt)),
  59             hashService.getHashIterations()));
  60         return PasswordHashImpl.create(
  61             hash.getAlgorithmName(),
  62             hash.getSalt().toBase64(),
  63             hash.getIterations(),
  64             hash.toBase64());
  65     }
  66
  67     @Override
  68     public boolean passwordsMatch(final String plaintext, final String stored, final String salt) {
  69         return getPasswordHash(plaintext, salt).getHashedPassword().equals(stored);
  70     }
  71
  72     private static DefaultHashService createHashService(final Integer numIterations, final String hashAlgorithm,
  73             final String privateSalt) {
  74         final DefaultHashService hashService = new DefaultHashService();
  75
  76         if (numIterations != null) {
  77             hashService.setHashIterations(numIterations);
  78             LOG.info("DefaultPasswordHashService will utilize configured iteration count={}", numIterations);
  79         } else {
  80             hashService.setHashIterations(DEFAULT_NUM_ITERATIONS);
  81             LOG.info("DefaultPasswordHashService will utilize default iteration count={}", DEFAULT_NUM_ITERATIONS);
  82         }
  83
  84         if (hashAlgorithm != null) {
  85             hashService.setHashAlgorithmName(hashAlgorithm);
  86             LOG.info("DefaultPasswordHashService will utilize configured algorithm={}", hashAlgorithm);
  87         } else {
  88             hashService.setHashAlgorithmName(DEFAULT_HASH_ALGORITHM);
  89             LOG.info("DefaultPasswordHashService will utilize default algorithm={}", DEFAULT_HASH_ALGORITHM);
  90         }
  91
  92         if (privateSalt != null) {
  93             hashService.setPrivateSalt(ByteSource.Util.bytes(privateSalt));
  94             LOG.info("DefaultPasswordHashService will utilize a configured private salt");
  95         } else {
  96             hashService.setGeneratePublicSalt(true);
  97             LOG.info("DefaultPasswordHashService will not utilize a private salt, since none was configured");
  98         }
  99
 100         return hashService;
 101     }
 102 }