From 438d18e378d5b4e4ca85d907006a4c2934d21bef Mon Sep 17 00:00:00 2001 From: Malte Schulze Hobeling Date: Mon, 16 Jan 2023 17:23:25 +0100 Subject: [PATCH] salz --- .../AccountMgr.java | 28 +++++++++++++++---- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/src/main/java/com/bib/essensbestellungsverwaltung/AccountMgr.java b/src/main/java/com/bib/essensbestellungsverwaltung/AccountMgr.java index cf4b1b8..aa1a856 100644 --- a/src/main/java/com/bib/essensbestellungsverwaltung/AccountMgr.java +++ b/src/main/java/com/bib/essensbestellungsverwaltung/AccountMgr.java @@ -6,6 +6,7 @@ package com.bib.essensbestellungsverwaltung; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.security.spec.InvalidKeySpecException; import java.security.spec.KeySpec; import java.util.ArrayList; @@ -52,7 +53,7 @@ public class AccountMgr { String[] userH = {"name", "firstname", "addressid", "password", "email"}; String name = userData[0]; String firstname = userData[1]; - String pw = hashAndSalt(userData[2]); + String pw = hashAndSalt(userData[2], getSalt()); String email = userData[3]; long id = Database.insert("address", addressH, addressData); @@ -102,8 +103,14 @@ public class AccountMgr { * @return id or -1 */ protected static long login(String email, String pw){ + String[] pwH = {"email"}; + String[] pwD = {email}; + List foundEmail = Database.select("user",pwH,pwD); + String[] userParts = foundEmail.get(0).split(":"); + String[] pwParts = userParts[4].split("\\."); + String salt = pwParts[1]; String[] userH = {"email","password"}; - String[] userD = {email,hashAndSalt(pw)}; + String[] userD = {email,hashAndSalt(pw,salt)}; return Database.getSingleId("user",userH,userD); } @@ -136,10 +143,10 @@ public class AccountMgr { * @param pw the password to hash * @return hashed and salted password */ - protected static String hashAndSalt(String pw){ - //todo: find a better way to salt - byte[] magicSalt = new byte[]{96, 13, 100, 85, -37, 52, -123, 86, -123, -92, 16, 15, -110, -42, -49, 0}; - KeySpec spec = new PBEKeySpec(pw.toCharArray(), magicSalt,310001,256); + protected static String hashAndSalt(String pw, String salt){ + Base64.Decoder dec = Base64.getDecoder(); + byte[] bySalt = dec.decode(salt); + KeySpec spec = new PBEKeySpec(pw.toCharArray(), bySalt,310001,256); String hashedPw; try { SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); @@ -149,9 +156,18 @@ public class AccountMgr { } catch (InvalidKeySpecException | NoSuchAlgorithmException e) { throw new RuntimeException(e); } + hashedPw += "." + salt; return hashedPw; } + private static String getSalt(){ + SecureRandom sec = new SecureRandom(); + byte[] salt = new byte[16]; + sec.nextBytes(salt); + Base64.Encoder enc = Base64.getEncoder(); + return enc.encodeToString(salt); + } + /** * gives the invoice for one month and one child * @param date YYYY-MM the month