Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-7232

Include support for SHA-2 while hashing passwords in the ldap connector

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.4
    • Component/s: Connectors
    • Labels:
    • Environment:

      centOS 8

      midpoint 4.3

      openldap-2.4.57

       

      *Worth noting: openldap out of the box doesn't support SHA-2 unless you load the sha module that is packaged with it

    • Subscription:
      No subscription (community)
    • Milestone:
      RELEASE

      Description

      Currently the LDAP connector only supports password hashing using MD5 or SHA-1, neither of these are no longer secure.  Instead hashing should be done using SHA-2 (SHA-256, SHA-512).

       

      The code is using the "MessageDigest" class, which supports both of these algorithms (see link below for reference)

       

      https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest

       

      Currently the code uses a try / catch block which only allows MD5 or SHA-1, I believe the only code that would need to be added is simply extending the try catch to allow SHA-256 and SHA-512.

       

      current code

      try {
          if (alg.equalsIgnoreCase("SSHA") || alg.equalsIgnoreCase("SHA"))

      {         md = MessageDigest.getInstance("SHA-1");      }

      else if ( alg.equalsIgnoreCase("SMD5") || alg.equalsIgnoreCase("MD5") )

      {          md = MessageDigest.getInstance("MD5");      }

       

      revised code

      try {
          if (alg.equalsIgnoreCase("SSHA") || alg.equalsIgnoreCase("SHA"))

      {         md = MessageDigest.getInstance("SHA-1");     }

      else if ( alg.equalsIgnoreCase("SMD5") || alg.equalsIgnoreCase("MD5") )

      {         md = MessageDigest.getInstance("MD5");     }

       else if ( alg.equalsIgnoreCase("SSHA-256") || alg.equalsIgnoreCase("SHA-256") )

      {         md = MessageDigest.getInstance("SHA-256");     }

       else if ( alg.equalsIgnoreCase("SSHA-384") || alg.equalsIgnoreCase("SHA-384") )

      {          md = MessageDigest.getInstance("SHA-384");     }

       else if ( alg.equalsIgnoreCase("SSHA-512") || alg.equalsIgnoreCase("SHA-512") ) {
               md = MessageDigest.getInstance("SHA-512");

        Attachments

          Activity

            People

            Assignee:
            klevalley Keith LeValley
            Reporter:
            klevalley Keith LeValley
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: