diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java index 7257fa49da3..abc63776b35 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java +++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java @@ -651,6 +651,10 @@ public static String hashpw(String password, String salt) { char minor = (char)0; int rounds, off = 0; StringBuffer rs = new StringBuffer(); + + if (salt==null || salt.length()<4) { + throw new IllegalArgumentException ("Invalid salt length"); + } if (salt.charAt(0) != '$' || salt.charAt(1) != '2') throw new IllegalArgumentException ("Invalid salt version"); @@ -663,7 +667,11 @@ public static String hashpw(String password, String salt) { off = 4; } - // Extract number of rounds + if (salt.length() '$') throw new IllegalArgumentException ("Missing salt rounds"); rounds = Integer.parseInt(salt.substring(off, off + 2)); diff --git a/crypto/src/main/java/org/springframework/security/crypto/codec/Utf8.java b/crypto/src/main/java/org/springframework/security/crypto/codec/Utf8.java index 70ffc62a182..2bb7bd437da 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/codec/Utf8.java +++ b/crypto/src/main/java/org/springframework/security/crypto/codec/Utf8.java @@ -4,7 +4,6 @@ import java.nio.CharBuffer; import java.nio.charset.CharacterCodingException; import java.nio.charset.Charset; -import java.util.*; /** * UTF-8 Charset encoder/decoder. diff --git a/crypto/src/main/java/org/springframework/security/crypto/keygen/SecureRandomBytesKeyGenerator.java b/crypto/src/main/java/org/springframework/security/crypto/keygen/SecureRandomBytesKeyGenerator.java index 196df3de61d..da5e7368c29 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/keygen/SecureRandomBytesKeyGenerator.java +++ b/crypto/src/main/java/org/springframework/security/crypto/keygen/SecureRandomBytesKeyGenerator.java @@ -15,8 +15,6 @@ */ package org.springframework.security.crypto.keygen; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; import java.security.SecureRandom; /** diff --git a/crypto/src/main/java/org/springframework/security/crypto/password/Digester.java b/crypto/src/main/java/org/springframework/security/crypto/password/Digester.java index f5a060ab778..6a9102403bd 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/password/Digester.java +++ b/crypto/src/main/java/org/springframework/security/crypto/password/Digester.java @@ -17,7 +17,6 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; /** * Helper for working with the MessageDigest API. diff --git a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java index df341cb861c..b399bdf52a7 100644 --- a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java +++ b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java @@ -18,43 +18,83 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; -import org.junit.Test; +import java.security.SecureRandom; +import org.junit.Test; /** * @author Dave Syer - * + * */ public class BCryptPasswordEncoderTests { - @Test - public void matches() { - BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); - String result = encoder.encode("password"); - assertFalse(result.equals("password")); - assertTrue(encoder.matches("password", result)); - } - - @Test - public void unicode() { - BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); - String result = encoder.encode("passw\u9292rd"); - assertFalse(encoder.matches("pass\u9292\u9292rd", result)); - assertTrue(encoder.matches("passw\u9292rd", result)); - } - - @Test - public void matchesLengthChecked() { - BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); - String result = encoder.encode("password"); - assertFalse(encoder.matches("password", result.substring(0,result.length()-2))); - } - - @Test - public void notMatches() { - BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); - String result = encoder.encode("password"); - assertFalse(encoder.matches("bogus", result)); - } + @Test + public void matches() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + String result = encoder.encode("password"); + assertFalse(result.equals("password")); + assertTrue(encoder.matches("password", result)); + } + + @Test + public void customStrength() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(8); + String result = encoder.encode("password"); + assertTrue(encoder.matches("password", result)); + } + + @Test + public void customRandom() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(8, new SecureRandom()); + String result = encoder.encode("password"); + assertTrue(encoder.matches("password", result)); + } + + @Test + public void unicode() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + String result = encoder.encode("passw\u9292rd"); + assertFalse(encoder.matches("pass\u9292\u9292rd", result)); + assertTrue(encoder.matches("passw\u9292rd", result)); + } + + @Test + public void matchesLengthChecked() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + String result = encoder.encode("password"); + assertFalse(encoder.matches("password", result.substring(0, result.length() - 2))); + } + + @Test + public void notMatches() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + String result = encoder.encode("password"); + assertFalse(encoder.matches("bogus", result)); + } + + @Test(expected=IllegalArgumentException.class) + public void barfsOnNullEncodedValue() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + assertFalse(encoder.matches("password", null)); + } + + @Test(expected=IllegalArgumentException.class) + public void barfsOnEmptyEncodedValue() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + assertFalse(encoder.matches("password", "")); + } + + @Test(expected=IllegalArgumentException.class) + public void barfsOnShortEncodedValue() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + String result = encoder.encode("password"); + assertFalse(encoder.matches("password", result.substring(0, 4))); + } + + @Test(expected=IllegalArgumentException.class) + public void barfsOnBogusEncodedValue() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + assertFalse(encoder.matches("password", "012345678901234567890123456789")); + } } diff --git a/crypto/src/test/java/org/springframework/security/crypto/password/DigesterTests.java b/crypto/src/test/java/org/springframework/security/crypto/password/DigesterTests.java index bfb40584a92..6be8358e3b1 100644 --- a/crypto/src/test/java/org/springframework/security/crypto/password/DigesterTests.java +++ b/crypto/src/test/java/org/springframework/security/crypto/password/DigesterTests.java @@ -1,15 +1,10 @@ package org.springframework.security.crypto.password; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; - -import java.security.MessageDigest; -import java.util.Arrays; import org.junit.Test; import org.springframework.security.crypto.codec.Hex; import org.springframework.security.crypto.codec.Utf8; -import org.springframework.security.crypto.password.Digester; public class DigesterTests {