/** * Checks the validity of an unencoded password against an encoded one in the form * "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI". * * @param rawPassword unencoded password to be verified. * @param encodedPassword the actual SSHA or SHA encoded password * * @return true if they match (independent of the case of the prefix). */ public boolean matches(CharSequence rawPassword, String encodedPassword) { return matches(rawPassword == null ? null : rawPassword.toString(), encodedPassword); }
/** * Checks the validity of an unencoded password against an encoded one in the form * "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI". * * @param rawPassword unencoded password to be verified. * @param encodedPassword the actual SSHA or SHA encoded password * * @return true if they match (independent of the case of the prefix). */ public boolean matches(CharSequence rawPassword, String encodedPassword) { return matches(rawPassword == null ? null : rawPassword.toString(), encodedPassword); }
@Test // SEC-1031 public void fullLengthOfHashIsUsedInComparison() throws Exception { assertThat(this.sha.matches("boabspasswurd", "{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX")).isTrue(); // Change the first hash character from '2' to '3' assertThat(this.sha.matches("boabspasswurd", "{SSHA}35ro4PKC8jhQZ26jVsozhX/xaP0suHgX")).isFalse(); // Change the last hash character from 'X' to 'Y' assertThat(this.sha.matches("boabspasswurd", "{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgY")).isFalse(); }
/** * Test values generated by 'slappasswd -s boabspasswurd' */ @Test public void validSaltedPasswordSucceeds() { this.sha.setForceLowerCasePrefix(false); assertThat(this.sha.matches("boabspasswurd", "{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX")).isTrue(); assertThat(this.sha.matches("boabspasswurd", "{ssha}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd")).isTrue(); this.sha.setForceLowerCasePrefix(true); assertThat(this.sha.matches("boabspasswurd", "{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX")).isTrue(); assertThat(this.sha.matches("boabspasswurd", "{ssha}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd")).isTrue(); }
/** * Test values generated by 'slappasswd -h {SHA} -s boabspasswurd' */ @Test public void validPasswordSucceeds() { this.sha.setForceLowerCasePrefix(false); assertThat(this.sha.matches("boabspasswurd", "{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isTrue(); assertThat(this.sha.matches("boabspasswurd", "{sha}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isTrue(); this.sha.setForceLowerCasePrefix(true); assertThat(this.sha.matches("boabspasswurd", "{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isTrue(); assertThat(this.sha.matches("boabspasswurd", "{sha}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isTrue(); }
@Test(expected = IllegalArgumentException.class) public void malformedPrefixIsRejected() { // No right brace this.sha.matches("somepassword", "{SSHA25ro4PKC8jhQZ26jVsozhX/xaP0suHgX"); } }
@Test public void invalidPasswordFails() { assertThat(this.sha.matches("wrongpassword", "{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isFalse(); }
@Test(expected = IllegalArgumentException.class) public void invalidPrefixIsRejected() { this.sha.matches("somepassword", "{MD9}xxxxxxxxxx"); }
/** * Checks the validity of an unencoded password against an encoded one in the form * "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI". * * @param rawPassword unencoded password to be verified. * @param encodedPassword the actual SSHA or SHA encoded password * * @return true if they match (independent of the case of the prefix). */ public boolean matches(CharSequence rawPassword, String encodedPassword) { return matches(rawPassword == null ? null : rawPassword.toString(), encodedPassword); }
/** * Checks the validity of an unencoded password against an encoded one in the form * "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI". * * @param rawPassword unencoded password to be verified. * @param encodedPassword the actual SSHA or SHA encoded password * * @return true if they match (independent of the case of the prefix). */ public boolean matches(CharSequence rawPassword, String encodedPassword) { return matches(rawPassword == null ? null : rawPassword.toString(), encodedPassword); }
/** * Checks the validity of an unencoded password against an encoded one in the form * "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI". * * @param rawPassword unencoded password to be verified. * @param encodedPassword the actual SSHA or SHA encoded password * * @return true if they match (independent of the case of the prefix). */ public boolean matches(CharSequence rawPassword, String encodedPassword) { return matches(rawPassword == null ? null : rawPassword.toString(), encodedPassword); }
protected <O extends ObjectType> void assertLdapPassword(ProtectedStringType protectedStringType, String expectedPassword, PrismObject<O> source) throws EncryptionException { assertNotNull("No password value in "+source, protectedStringType); String decryptedUserPassword = protector.decryptString(protectedStringType); assertNotNull("Null password in " + source, decryptedUserPassword); if (decryptedUserPassword.startsWith("{") || decryptedUserPassword.contains("}")) { assertTrue("Wrong password hash in "+source+": "+decryptedUserPassword+", expected "+expectedPassword, ldapShaPasswordEncoder.matches(decryptedUserPassword, expectedPassword)); } else { assertEquals("Wrong password in "+source, expectedPassword, decryptedUserPassword); } }