001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.commons.codec.digest; 018 019import java.nio.charset.StandardCharsets; 020import java.security.MessageDigest; 021import java.security.SecureRandom; 022import java.util.Arrays; 023import java.util.Objects; 024import java.util.Random; 025import java.util.regex.Matcher; 026import java.util.regex.Pattern; 027 028/** 029 * The libc crypt() "$1$" and Apache "$apr1$" MD5-based hash algorithm. 030 * <p> 031 * Based on the public domain ("beer-ware") C implementation from Poul-Henning Kamp which was found at: <a 032 * href="http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libcrypt/crypt-md5.c?rev=1.1;content-type=text%2Fplain"> 033 * crypt-md5.c @ freebsd.org</a> 034 * </p> 035 * <p> 036 * Source: 037 * </p> 038 * <pre> 039 * $FreeBSD: src/lib/libcrypt/crypt-md5.c,v 1.1 1999/01/21 13:50:09 brandon Exp $ 040 * </pre> 041 * <p> 042 * Conversion to Kotlin and from there to Java in 2012. 043 * </p> 044 * <p> 045 * The C style comments are from the original C code, the ones with "//" from the port. 046 * </p> 047 * <p> 048 * This class is immutable and thread-safe. 049 * </p> 050 * 051 * @since 1.7 052 */ 053public class Md5Crypt { 054 055 /** The Identifier of the Apache variant. */ 056 static final String APR1_PREFIX = "$apr1$"; 057 058 /** The number of bytes of the final hash. */ 059 private static final int BLOCKSIZE = 16; 060 061 /** The Identifier of this crypt() variant. */ 062 static final String MD5_PREFIX = "$1$"; 063 064 /** The number of rounds of the big loop. */ 065 private static final int ROUNDS = 1000; 066 067 /** 068 * See {@link #apr1Crypt(byte[], String)} for details. 069 * <p> 070 * A salt is generated for you using {@link SecureRandom}; your own {@link Random} in 071 * {@link #apr1Crypt(byte[], Random)}. 072 * </p> 073 * 074 * @param keyBytes plaintext string to hash. Each array element is set to {@code 0} before returning. 075 * @return the hash value 076 * @throws IllegalArgumentException when a {@link java.security.NoSuchAlgorithmException} is caught. * 077 * @see #apr1Crypt(byte[], String) 078 */ 079 public static String apr1Crypt(final byte[] keyBytes) { 080 return apr1Crypt(keyBytes, APR1_PREFIX + B64.getRandomSalt(8)); 081 } 082 083 /** 084 * See {@link #apr1Crypt(byte[], String)} for details. 085 * <p> 086 * A salt is generated for you using the user provided {@link Random}. 087 * </p> 088 * 089 * @param keyBytes plaintext string to hash. Each array element is set to {@code 0} before returning. 090 * @param random the instance of {@link Random} to use for generating the salt. 091 * Consider using {@link SecureRandom} for more secure salts. 092 * @return the hash value 093 * @throws IllegalArgumentException when a {@link java.security.NoSuchAlgorithmException} is caught. * 094 * @see #apr1Crypt(byte[], String) 095 * @since 1.12 096 */ 097 public static String apr1Crypt(final byte[] keyBytes, final Random random) { 098 return apr1Crypt(keyBytes, APR1_PREFIX + B64.getRandomSalt(8, random)); 099 } 100 101 /** 102 * See {@link #apr1Crypt(String, String)} for details. 103 * <p> 104 * A salt is generated for you using {@link SecureRandom} 105 * </p> 106 * 107 * @param keyBytes 108 * plaintext string to hash. Each array element is set to {@code 0} before returning. 109 * @param salt 110 * An APR1 salt. The salt may be null, in which case a salt is generated for you using 111 * {@link SecureRandom} 112 * @return the hash value 113 * @throws IllegalArgumentException 114 * if the salt does not match the allowed pattern 115 * @throws IllegalArgumentException 116 * when a {@link java.security.NoSuchAlgorithmException} is caught. 117 */ 118 public static String apr1Crypt(final byte[] keyBytes, String salt) { 119 // to make the md5Crypt regex happy 120 if (salt != null && !salt.startsWith(APR1_PREFIX)) { 121 salt = APR1_PREFIX + salt; 122 } 123 return Md5Crypt.md5Crypt(keyBytes, salt, APR1_PREFIX); 124 } 125 126 /** 127 * See {@link #apr1Crypt(String, String)} for details. 128 * <p> 129 * A salt is generated for you using {@link SecureRandom}. 130 * </p> 131 * 132 * @param keyBytes 133 * plaintext string to hash. Each array element is set to {@code 0} before returning. 134 * @return the hash value 135 * @throws IllegalArgumentException 136 * when a {@link java.security.NoSuchAlgorithmException} is caught. 137 * @see #apr1Crypt(byte[], String) 138 */ 139 public static String apr1Crypt(final String keyBytes) { 140 return apr1Crypt(keyBytes.getBytes(StandardCharsets.UTF_8)); 141 } 142 143 /** 144 * Generates an Apache htpasswd compatible "$apr1$" MD5 based hash value. 145 * <p> 146 * The algorithm is identical to the crypt(3) "$1$" one but produces different outputs due to the different salt 147 * prefix. 148 * </p> 149 * 150 * @param keyBytes 151 * plaintext string to hash. Each array element is set to {@code 0} before returning. 152 * @param salt 153 * salt string including the prefix and optionally garbage at the end. The salt may be null, in which 154 * case a salt is generated for you using {@link SecureRandom}. 155 * @return the hash value 156 * @throws IllegalArgumentException 157 * if the salt does not match the allowed pattern 158 * @throws IllegalArgumentException 159 * when a {@link java.security.NoSuchAlgorithmException} is caught. 160 */ 161 public static String apr1Crypt(final String keyBytes, final String salt) { 162 return apr1Crypt(keyBytes.getBytes(StandardCharsets.UTF_8), salt); 163 } 164 165 /** 166 * Generates a libc6 crypt() compatible "$1$" hash value. 167 * <p> 168 * See {@link #md5Crypt(byte[], String)} for details. 169 * </p> 170 * <p> 171 * A salt is generated for you using {@link SecureRandom}. 172 * </p> 173 * @param keyBytes 174 * plaintext string to hash. Each array element is set to {@code 0} before returning. 175 * @return the hash value 176 * @throws IllegalArgumentException 177 * when a {@link java.security.NoSuchAlgorithmException} is caught. 178 * @see #md5Crypt(byte[], String) 179 */ 180 public static String md5Crypt(final byte[] keyBytes) { 181 return md5Crypt(keyBytes, MD5_PREFIX + B64.getRandomSalt(8)); 182 } 183 184 /** 185 * Generates a libc6 crypt() compatible "$1$" hash value. 186 * <p> 187 * See {@link #md5Crypt(byte[], String)} for details. 188 * </p> 189 * <p> 190 * A salt is generated for you using the instance of {@link Random} you supply. 191 * </p> 192 * @param keyBytes 193 * plaintext string to hash. Each array element is set to {@code 0} before returning. 194 * @param random 195 * the instance of {@link Random} to use for generating the salt. 196 * Consider using {@link SecureRandom} for more secure salts. 197 * @return the hash value 198 * @throws IllegalArgumentException 199 * when a {@link java.security.NoSuchAlgorithmException} is caught. 200 * @see #md5Crypt(byte[], String) 201 * @since 1.12 202 */ 203 public static String md5Crypt(final byte[] keyBytes, final Random random) { 204 return md5Crypt(keyBytes, MD5_PREFIX + B64.getRandomSalt(8, random)); 205 } 206 207 /** 208 * Generates a libc crypt() compatible "$1$" MD5 based hash value. 209 * <p> 210 * See {@link Crypt#crypt(String, String)} for details. We use {@link SecureRandom} for seed generation by 211 * default. 212 * </p> 213 * 214 * @param keyBytes 215 * plaintext string to hash. Each array element is set to {@code 0} before returning. 216 * @param salt 217 * salt string including the prefix and optionally garbage at the end. The salt may be null, in which 218 * case a salt is generated for you using {@link SecureRandom}. 219 * @return the hash value 220 * @throws IllegalArgumentException 221 * if the salt does not match the allowed pattern 222 * @throws IllegalArgumentException 223 * when a {@link java.security.NoSuchAlgorithmException} is caught. 224 */ 225 public static String md5Crypt(final byte[] keyBytes, final String salt) { 226 return md5Crypt(keyBytes, salt, MD5_PREFIX); 227 } 228 229 /** 230 * Generates a libc6 crypt() "$1$" or Apache htpasswd "$apr1$" hash value. 231 * <p> 232 * See {@link Crypt#crypt(String, String)} or {@link #apr1Crypt(String, String)} for details. We use 233 * {@link SecureRandom by default}. 234 * </p> 235 * 236 * @param keyBytes 237 * plaintext string to hash. Each array element is set to {@code 0} before returning. 238 * @param salt 239 * real salt value without prefix or "rounds=". The salt may be null, in which case a salt 240 * is generated for you using {@link SecureRandom}. 241 * @param prefix 242 * The salt prefix {@value #APR1_PREFIX}, {@value #MD5_PREFIX}. 243 * @return the hash value 244 * @throws IllegalArgumentException 245 * if the salt does not match the allowed pattern 246 * @throws IllegalArgumentException 247 * when a {@link java.security.NoSuchAlgorithmException} is caught. 248 */ 249 public static String md5Crypt(final byte[] keyBytes, final String salt, final String prefix) { 250 return md5Crypt(keyBytes, salt, prefix, new SecureRandom()); 251 } 252 253 /** 254 * Generates a libc6 crypt() "$1$" or Apache htpasswd "$apr1$" hash value. 255 * <p> 256 * See {@link Crypt#crypt(String, String)} or {@link #apr1Crypt(String, String)} for details. 257 * </p> 258 * 259 * @param keyBytes 260 * plaintext string to hash. Each array element is set to {@code 0} before returning. 261 * @param salt 262 * real salt value without prefix or "rounds=". The salt may be null, in which case a salt 263 * is generated for you using {@link SecureRandom}. 264 * @param prefix 265 * The salt prefix {@value #APR1_PREFIX}, {@value #MD5_PREFIX}. 266 * @param random 267 * the instance of {@link Random} to use for generating the salt. 268 * Consider using {@link SecureRandom} for more secure salts. 269 * @return the hash value 270 * @throws IllegalArgumentException 271 * if the salt or prefix does not match the allowed pattern 272 * @throws IllegalArgumentException 273 * when a {@link java.security.NoSuchAlgorithmException} is caught. 274 * @since 1.12 275 */ 276 public static String md5Crypt(final byte[] keyBytes, final String salt, final String prefix, final Random random) { 277 final int keyLen = keyBytes.length; 278 279 // Extract the real salt from the given string which can be a complete hash string. 280 final String saltString; 281 if (salt == null) { 282 saltString = B64.getRandomSalt(8, random); 283 } else { 284 Objects.requireNonNull(prefix, "prefix"); 285 if (prefix.length() < 3) { 286 throw new IllegalArgumentException("Invalid prefix value: " + prefix); 287 } 288 if (prefix.charAt(0) != '$' && prefix.charAt(prefix.length() - 1) != '$') { 289 throw new IllegalArgumentException("Invalid prefix value: " + prefix); 290 } 291 final Pattern p = Pattern.compile("^" + prefix.replace("$", "\\$") + "([\\.\\/a-zA-Z0-9]{1,8}).*"); 292 final Matcher m = p.matcher(salt); 293 if (!m.find()) { 294 throw new IllegalArgumentException("Invalid salt value: " + salt); 295 } 296 saltString = m.group(1); 297 } 298 final byte[] saltBytes = saltString.getBytes(StandardCharsets.UTF_8); 299 300 final MessageDigest ctx = DigestUtils.getMd5Digest(); 301 302 /* 303 * The password first, since that is what is most unknown 304 */ 305 ctx.update(keyBytes); 306 307 /* 308 * Then our magic string 309 */ 310 ctx.update(prefix.getBytes(StandardCharsets.UTF_8)); 311 312 /* 313 * Then the raw salt 314 */ 315 ctx.update(saltBytes); 316 317 /* 318 * Then just as many characters of the MD5(pw,salt,pw) 319 */ 320 MessageDigest ctx1 = DigestUtils.getMd5Digest(); 321 ctx1.update(keyBytes); 322 ctx1.update(saltBytes); 323 ctx1.update(keyBytes); 324 byte[] finalb = ctx1.digest(); 325 int ii = keyLen; 326 while (ii > 0) { 327 ctx.update(finalb, 0, Math.min(ii, 16)); 328 ii -= 16; 329 } 330 331 /* 332 * Don't leave anything around in JVM they could use. 333 */ 334 Arrays.fill(finalb, (byte) 0); 335 336 /* 337 * Then something really weird... 338 */ 339 ii = keyLen; 340 final int j = 0; 341 while (ii > 0) { 342 if ((ii & 1) == 1) { 343 ctx.update(finalb[j]); 344 } else { 345 ctx.update(keyBytes[j]); 346 } 347 ii >>= 1; 348 } 349 350 /* 351 * Now make the output string 352 */ 353 final StringBuilder passwd = new StringBuilder(prefix + saltString + "$"); 354 finalb = ctx.digest(); 355 356 /* 357 * and now, just to make sure things don't run too fast On a 60 Mhz Pentium this takes 34 milliseconds, so you 358 * would need 30 seconds to build a 1000 entry dictionary... 359 */ 360 for (int i = 0; i < ROUNDS; i++) { 361 ctx1 = DigestUtils.getMd5Digest(); 362 if ((i & 1) != 0) { 363 ctx1.update(keyBytes); 364 } else { 365 ctx1.update(finalb, 0, BLOCKSIZE); 366 } 367 368 if (i % 3 != 0) { 369 ctx1.update(saltBytes); 370 } 371 372 if (i % 7 != 0) { 373 ctx1.update(keyBytes); 374 } 375 376 if ((i & 1) != 0) { 377 ctx1.update(finalb, 0, BLOCKSIZE); 378 } else { 379 ctx1.update(keyBytes); 380 } 381 finalb = ctx1.digest(); 382 } 383 384 // The following was nearly identical to the Sha2Crypt code. 385 // Again, the buflen is not really needed. 386 // int buflen = MD5_PREFIX.length() - 1 + salt_string.length() + 1 + BLOCKSIZE + 1; 387 B64.b64from24bit(finalb[0], finalb[6], finalb[12], 4, passwd); 388 B64.b64from24bit(finalb[1], finalb[7], finalb[13], 4, passwd); 389 B64.b64from24bit(finalb[2], finalb[8], finalb[14], 4, passwd); 390 B64.b64from24bit(finalb[3], finalb[9], finalb[15], 4, passwd); 391 B64.b64from24bit(finalb[4], finalb[10], finalb[5], 4, passwd); 392 B64.b64from24bit((byte) 0, (byte) 0, finalb[11], 2, passwd); 393 394 /* 395 * Don't leave anything around in JVM they could use. 396 */ 397 // Is there a better way to do this with the JVM? 398 ctx.reset(); 399 ctx1.reset(); 400 Arrays.fill(keyBytes, (byte) 0); 401 Arrays.fill(saltBytes, (byte) 0); 402 Arrays.fill(finalb, (byte) 0); 403 404 return passwd.toString(); 405 } 406 407 /** 408 * TODO Make private in 2.0. 409 * 410 * @deprecated TODO Make private in 2.0. 411 */ 412 @Deprecated 413 public Md5Crypt() { 414 // empty 415 } 416}