From 348999132b577fa148afa05078c7742b81141180 Mon Sep 17 00:00:00 2001
From: jomu <jomu@711a9084-f618-47a6-a783-754c49204487>
Date: Sat, 18 Jan 2014 17:13:06 +0000
Subject: [PATCH] added scyrpt support to PasswordUtil

---
 pom.xml                                       | 32 ++++++++++++
 security/pom.xml                              | 16 +++---
 .../shared/security/PasswordUtil.java         | 32 ++++++++++++
 .../shared/security/PasswordUtilTest.java     | 52 +++++++++++--------
 4 files changed, 104 insertions(+), 28 deletions(-)

diff --git a/pom.xml b/pom.xml
index a23d5c4..b310cf9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -13,4 +13,36 @@
         <module>util</module>
         <module>jeeutil</module>
     </modules>
+    
+    <dependencyManagement>
+        <dependencies>
+            
+            <dependency>
+                <groupId>junit</groupId>
+                <artifactId>junit</artifactId>
+                <version>4.10</version>
+                <scope>test</scope>
+            </dependency>       
+            
+            <dependency>
+                <groupId>commons-codec</groupId>
+                <artifactId>commons-codec</artifactId>
+                <version>1.4</version>
+                <type>jar</type>
+            </dependency>                      
+                                                            
+            <dependency>
+                <groupId>com.lambdaworks</groupId>
+                <artifactId>scrypt</artifactId>
+                <version>1.4.0</version>
+            </dependency>
+            
+            <dependency>
+                <groupId>log4j</groupId>
+                <artifactId>log4j</artifactId>
+                <version>1.2.17</version>
+                <type>jar</type>
+            </dependency>            
+        </dependencies>
+    </dependencyManagement>
 </project>
\ No newline at end of file
diff --git a/security/pom.xml b/security/pom.xml
index 49db3f0..2064619 100644
--- a/security/pom.xml
+++ b/security/pom.xml
@@ -26,21 +26,23 @@
     <dependencies>
         <dependency>
             <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>4.10</version>
-            <scope>test</scope>
+            <artifactId>junit</artifactId>        
         </dependency>
+        
         <dependency>
             <groupId>commons-codec</groupId>
-            <artifactId>commons-codec</artifactId>
-            <version>1.4</version>
+            <artifactId>commons-codec</artifactId>            
             <type>jar</type>
         </dependency>
         <dependency>
             <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>1.2.17</version>
+            <artifactId>log4j</artifactId>            
             <type>jar</type>
         </dependency>
+        
+        <dependency>
+            <groupId>com.lambdaworks</groupId>
+            <artifactId>scrypt</artifactId>
+        </dependency>        
     </dependencies>
 </project>
diff --git a/security/src/main/java/de/muehlencord/shared/security/PasswordUtil.java b/security/src/main/java/de/muehlencord/shared/security/PasswordUtil.java
index 7f1ce6f..27c48aa 100644
--- a/security/src/main/java/de/muehlencord/shared/security/PasswordUtil.java
+++ b/security/src/main/java/de/muehlencord/shared/security/PasswordUtil.java
@@ -4,6 +4,7 @@
  */
 package de.muehlencord.shared.security;
 
+import com.lambdaworks.crypto.SCryptUtil;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
@@ -19,6 +20,15 @@ public abstract class PasswordUtil {
 
     /** logging object */
     private final static Logger logger = Logger.getLogger(PasswordUtil.class);
+    
+    
+    /** SCrypt CPU cost parameter */
+    private final static int scryptCpuCostParameter = 16384;
+    /** SCrypt memory cost parameter */
+    private final static int scryptMemCostParameter = 8;
+    /** SCrypt paralelization parameter */
+    private final static int scryptParallelizationParameter = 1;
+    
 
     /**
      * returns password (pos 0) and the salt (pos 1) of given plaintext password. Both strings are base64 encoded
@@ -210,4 +220,26 @@ public abstract class PasswordUtil {
         Base64 decoder = new Base64();
         return decoder.decode(data.getBytes());
     }
+    
+
+    /**
+     * returns the crypted parameter string for the given plain text password
+     *
+     * @param plainPassword the plain text password to crypt
+     * @return the crypted password string
+     */
+    public static String getScryptHash(String plainPassword) {
+        return SCryptUtil.scrypt(plainPassword, scryptCpuCostParameter, scryptMemCostParameter, scryptParallelizationParameter);        
+    }
+
+    /**
+     * returns true, if the given plainPassword re-encrypted matches the given crypted password
+     *
+     * @param plainPassword the plain password to validate
+     * @param hashedPassword the encrypted password to validate against
+     * @return true, if the encrypted string of the given plain password matches the provided crypted password
+     */
+    public static boolean validateScryptHash(String plainPassword, String hashedPassword) {
+        return SCryptUtil.check(plainPassword, hashedPassword);
+    }    
 }
diff --git a/security/src/test/java/de/muehlencord/shared/security/PasswordUtilTest.java b/security/src/test/java/de/muehlencord/shared/security/PasswordUtilTest.java
index da64734..a620811 100644
--- a/security/src/test/java/de/muehlencord/shared/security/PasswordUtilTest.java
+++ b/security/src/test/java/de/muehlencord/shared/security/PasswordUtilTest.java
@@ -17,27 +17,7 @@ import static org.junit.Assert.*;
  * @author jomu
  */
 public class PasswordUtilTest {
-
-    public PasswordUtilTest() {
-    }
-
-  @BeforeClass
-  public static void setUpClass() throws Exception {
-  }
-
-  @AfterClass
-  public static void tearDownClass() throws Exception {
-  }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
-    
-    
+       
   /**
    * Test of createSaltString method, of class PasswordUtil.
    */
@@ -147,5 +127,35 @@ public class PasswordUtilTest {
         assertNotNull(randomString);
         assertEquals("string length check", 32, randomString.length());
     }  
+    
+    /**
+     * test the hashPassword method
+     */
+    @Test
+    public void testGetScryptHash() {
+        String hash1 = PasswordUtil.getScryptHash("secret");        
+        String hash2 = PasswordUtil.getScryptHash("secret");
+        System.out.println (hash1);
+        System.out.println (hash2);         
+        assertNotNull (hash1); 
+        assertNotNull (hash2);
+        // even if password is the same, the has must not be the same due to correct usage of salts
+        assertFalse (hash1.equals (hash2)); 
+        
+        assertTrue (hash1.length() == 79);
+        assertTrue (hash2.length() == 79);
+    }
+    
+    /**
+     * test for validating passwords
+     */
+    @Test
+    public void testValidateScryptHash() {
+        String hash1 = PasswordUtil.getScryptHash("secret");        
+        String hash2 = PasswordUtil.getScryptHash("secret");
+        assertTrue ("hash must match if correct password is given",PasswordUtil.validateScryptHash("secret", hash1));
+        assertTrue ("hash must match if correct password is given", PasswordUtil.validateScryptHash("secret", hash2));
+        assertFalse ("hash must not match if wrong password is given", PasswordUtil.validateScryptHash("secret2", hash1));        
+    }    
 
 }
\ No newline at end of file