public final class StandardByteDigester extends Object implements ByteDigester
Standard implementation of the ByteDigester
interface.
This class lets the user specify the algorithm (and provider) to be used for
creating digests, the size of the salt to be applied,
the number of times the hash function will be applied (iterations) and
the salt generator to be used.
This class is thread-safe.
Configuration
The algorithm, provider, salt size iterations and salt generator can take values in any of these ways:
DigesterConfig
object which provides new
configuration values.DigesterConfig
object has been set with
setConfig, the non-null values returned by its
getX methods override the default values.
Initialization
Before it is ready to create digests, an object of this class has to be initialized. Initialization happens:
Usage
A digester may be used in two different ways:
SaltGenerator
). If salt size is zero, no salt will be
used.SaltGenerator.includePlainSaltInEncryptionResults()
),
the undigested salt and the final result of the hash
function are concatenated and returned as a result.To learn more about the mechanisms involved in digest creation, read PKCS #5: Password-Based Cryptography Standard.
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_ALGORITHM
Default digest algorithm will be MD5
|
static int |
DEFAULT_ITERATIONS
The minimum recommended iterations for hashing are 1000
|
static int |
DEFAULT_SALT_SIZE_BYTES
The minimum recommended size for salt is 8 bytes
|
Constructor and Description |
---|
StandardByteDigester()
Creates a new instance of StandardByteDigester.
|
Modifier and Type | Method and Description |
---|---|
byte[] |
digest(byte[] message)
Performs a digest operation on a byte array message.
|
void |
initialize()
Initialize the digester.
|
boolean |
isInitialized()
Returns true if the digester has already been initialized, false if
not.
Initialization happens: |
boolean |
matches(byte[] message,
byte[] digest)
Checks a message against a given digest.
|
void |
setAlgorithm(String algorithm)
Sets the algorithm to be used for digesting, like MD5
or SHA-1.
|
void |
setConfig(DigesterConfig config)
Sets a
DigesterConfig object
for the digester. |
void |
setInvertPositionOfPlainSaltInEncryptionResults(boolean invertPositionOfPlainSaltInEncryptionResults)
Whether the plain (not hashed) salt bytes are to
be appended after the digest operation result bytes.
|
void |
setInvertPositionOfSaltInMessageBeforeDigesting(boolean invertPositionOfSaltInMessageBeforeDigesting)
Whether the salt bytes are to be appended after the
message ones before performing the digest operation on the whole.
|
void |
setIterations(int iterations)
Set the number of times the hash function will be applied recursively.
|
void |
setProvider(Provider provider)
Sets the security provider to be asked for the digest algorithm.
|
void |
setProviderName(String providerName)
Sets the name of the security provider to be asked for the
digest algorithm.
|
void |
setSaltGenerator(SaltGenerator saltGenerator)
Sets the salt generator to be used.
|
void |
setSaltSizeBytes(int saltSizeBytes)
Sets the size of the salt to be used to compute the digest.
|
void |
setUseLenientSaltSizeCheck(boolean useLenientSaltSizeCheck)
Whether digest matching operations will allow matching
digests with a salt size different to the one configured in the "saltSizeBytes"
property.
|
public static final String DEFAULT_ALGORITHM
public static final int DEFAULT_SALT_SIZE_BYTES
public static final int DEFAULT_ITERATIONS
public StandardByteDigester()
public void setConfig(DigesterConfig config)
Sets a DigesterConfig
object
for the digester. If this config
object is set, it will be asked values for:
The non-null values it returns will override the default ones, and will be overriden by any values specified with a setX method.
config
- the DigesterConfig object to be used as the
source for configuration parameters.public void setAlgorithm(String algorithm)
Sets the algorithm to be used for digesting, like MD5 or SHA-1.
This algorithm has to be supported by your security infrastructure, and it should be allowed as an algorithm for creating java.security.MessageDigest instances.
If you are specifying a security provider with setProvider(Provider)
or
setProviderName(String)
, this algorithm should be
supported by your specified provider.
If you are not specifying a provider, you will be able to use those algorithms provided by the default security provider of your JVM vendor. For valid names in the Sun JVM, see Java Cryptography Architecture API Specification & Reference.
algorithm
- the name of the algorithm to be used.public void setSaltSizeBytes(int saltSizeBytes)
Sets the size of the salt to be used to compute the digest. This mechanism is explained in PKCS #5: Password-Based Cryptography Standard.
If salt size is set to zero, then no salt will be used.
saltSizeBytes
- the size of the salt to be used, in bytes.public void setIterations(int iterations)
Set the number of times the hash function will be applied recursively.
The hash function will be applied to its own results as many times as
specified: h(h(...h(x)...))
This mechanism is explained in PKCS #5: Password-Based Cryptography Standard.
iterations
- the number of iterations.public void setSaltGenerator(SaltGenerator saltGenerator)
Sets the salt generator to be used. If no salt generator is specified,
an instance of RandomSaltGenerator
will be used.
saltGenerator
- the salt generator to be used.public void setProviderName(String providerName)
Sets the name of the security provider to be asked for the digest algorithm. This security provider has to be registered beforehand at the JVM security framework.
The provider can also be set with the setProvider(Provider)
method, in which case it will not be necessary neither registering
the provider beforehand,
nor calling this setProviderName(String)
method to specify
a provider name.
Note that a call to setProvider(Provider)
overrides any value
set by this method.
If no provider name / provider is explicitly set, the default JVM provider will be used.
providerName
- the name of the security provider to be asked
for the digest algorithm.public void setProvider(Provider provider)
Sets the security provider to be asked for the digest algorithm. The provider does not have to be registered at the security infrastructure beforehand, and its being used here will not result in its being registered.
If this method is called, calling setProviderName(String)
becomes unnecessary.
If no provider name / provider is explicitly set, the default JVM provider will be used.
provider
- the provider to be asked for the chosen algorithmpublic void setInvertPositionOfSaltInMessageBeforeDigesting(boolean invertPositionOfSaltInMessageBeforeDigesting)
Whether the salt bytes are to be appended after the message ones before performing the digest operation on the whole. The default behaviour is to insert those bytes before the message bytes, but setting this configuration item to true allows compatibility with some external systems and specifications (e.g. LDAP {SSHA}).
If this parameter is not explicitly set, the default behaviour (insertion of salt before message) will be applied.
invertPositionOfSaltInMessageBeforeDigesting
- whether salt will be appended after the message before applying
the digest operation on the whole, instead of inserted before it
(which is the default).public void setInvertPositionOfPlainSaltInEncryptionResults(boolean invertPositionOfPlainSaltInEncryptionResults)
Whether the plain (not hashed) salt bytes are to be appended after the digest operation result bytes. The default behaviour is to insert them before the digest result, but setting this configuration item to true allows compatibility with some external systems and specifications (e.g. LDAP {SSHA}).
If this parameter is not explicitly set, the default behaviour (insertion of plain salt before digest result) will be applied.
invertPositionOfPlainSaltInEncryptionResults
- whether plain salt will be appended after the digest operation
result instead of inserted before it (which is the
default).public void setUseLenientSaltSizeCheck(boolean useLenientSaltSizeCheck)
Whether digest matching operations will allow matching digests with a salt size different to the one configured in the "saltSizeBytes" property. This is possible because digest algorithms will produce a fixed-size result, so the remaining bytes from the hashed input will be considered salt.
This will allow the digester to match digests produced in environments which do not establish a fixed salt size as standard (for example, SSHA password encryption in LDAP systems).
The value of this property will not affect the creation of digests, which will always have a salt of the size established by the "saltSizeBytes" property. It will only affect digest matching.
Setting this property to true is not compatible with SaltGenerator
implementations which return false for their
SaltGenerator.includePlainSaltInEncryptionResults()
property.
Also, be aware that some algorithms or algorithm providers might not support knowing the size of the digests beforehand, which is also incompatible with a lenient behaviour.
If this parameter is not explicitly set, the default behaviour (NOT lenient) will be applied.
useLenientSaltSizeCheck
- whether the digester will allow matching of
digests with different salt sizes than established or not (default
is false).public boolean isInitialized()
Returns true if the digester has already been initialized, false if
not.
Initialization happens:
Once a digester has been initialized, trying to change its configuration (algorithm, provider, salt size, iterations or salt generator) will result in an AlreadyInitializedException being thrown.
public void initialize()
Initialize the digester.
This operation will consist in determining the actual configuration
values to be used, and then initializing the digester with them.
These values are decided by applying the following priorities:
DigesterConfig
object has been set with
setConfig, the non-null values returned by its
getX methods override the default values.Once a digester has been initialized, trying to change its configuration will result in an AlreadyInitializedException being thrown.
EncryptionInitializationException
- if initialization could not
be correctly done (for example, if the digest algorithm chosen
cannot be used).public byte[] digest(byte[] message)
Performs a digest operation on a byte array message.
The steps taken for creating the digest are:
SaltGenerator
).SaltGenerator.includePlainSaltInEncryptionResults()
),
the undigested salt and the final result of the hash
function are concatenated and returned as a result.If a random salt generator is used, two digests created for the same message will always be different (except in the case of random salt coincidence). Because of this, in this case the result of the digest method will contain both the undigested salt and the digest of the (salt + message), so that another digest operation can be performed with the same salt on a different message to check if both messages match (all of which will be managed automatically by the matches method).
digest
in interface ByteDigester
message
- the byte array to be digestedEncryptionOperationNotPossibleException
- if the digest operation
fails, ommitting any further information about the cause for
security reasons.EncryptionInitializationException
- if initialization could not
be correctly done (for example, if the digest algorithm chosen
cannot be used).public boolean matches(byte[] message, byte[] digest)
Checks a message against a given digest.
This method tells whether a message corresponds to a specific digest or not by getting the salt with which the digest was created and applying it to a digest operation performed on the message. If new and existing digest match, the message is said to match the digest.
This method will be used, for instance, for password checking in authentication processes.
A null message will only match a null digest.
matches
in interface ByteDigester
message
- the message to be compared to the digest.digest
- the digest.EncryptionOperationNotPossibleException
- if the digest matching
operation fails, ommitting any further information about the
cause for security reasons.EncryptionInitializationException
- if initialization could not
be correctly done (for example, if the digest algorithm chosen
cannot be used).Copyright © 2017 JBoss by Red Hat. All rights reserved.