PBKDF2PasswordStorageScheme.java revision 6045
6045N/A * The contents of this file are subject to the terms of the 6045N/A * Common Development and Distribution License, Version 1.0 only 6045N/A * (the "License"). You may not use this file except in compliance 6045N/A * You can obtain a copy of the license at 6045N/A * See the License for the specific language governing permissions 6045N/A * and limitations under the License. 6045N/A * When distributing Covered Code, include this CDDL HEADER in each 6045N/A * file and include the License file at 6045N/A * add the following below this CDDL HEADER, with the fields enclosed 6045N/A * by brackets "[]" replaced with your own identifying information: 6045N/A * Portions Copyright [yyyy] [name of copyright owner] 6045N/A * Copyright 2013 ForgeRock AS. 6045N/A * This class defines a Directory Server password storage scheme based on the 6045N/A * PBKDF2 algorithm defined in RFC 2898. This is a one-way digest algorithm 6045N/A * so there is no way to retrieve the original clear-text version of the 6045N/A * password from the hashed value (although this means that it is not suitable 6045N/A * for things that need the clear-text password like DIGEST-MD5). This 6045N/A * implementation uses a configurable number of iterations. 6045N/A * The tracer object for the debug logger. 6045N/A * The fully-qualified name of this class. 6045N/A "org.opends.server.extensions.PBKDF2PasswordStorageScheme";
6045N/A * The number of bytes of random data to use as the salt when generating the 6045N/A // The number of bytes the SHA-1 algorithm produces 6045N/A // The factory used to generate the PBKDF2 hashes. 6045N/A // The lock used to provide threadsafe access to the message digest. 6045N/A // The secure random number generator to use to generate the salt values. 6045N/A // The current configuration for this storage scheme. 6045N/A * Creates a new instance of this password storage scheme. Note that no 6045N/A * initialization should be performed here, as all initialization should be 6045N/A * done in the <CODE>initializePasswordStorageScheme</CODE> method. 6045N/A // The configuration will always be acceptable. 6045N/A // Append the salt to the hashed value and base64-the whole thing. 6045N/A // Split the iterations from the stored value (separated by a ":") 6045N/A // Base64-decode the remaining value and take the last 8 bytes as the salt. 6045N/A // Use the salt to generate a digest based on the provided plain-text value. 6045N/A // This storage scheme does support the authentication password syntax. 6045N/A // Encode and return the value. 6045N/A // PBKDF2 should be considered secure. 6045N/A * Generates an encoded password string from the given clear-text password. 6045N/A * This method is primarily intended for use when it is necessary to generate 6045N/A * a password with the server offline (e.g., when setting the initial root 6045N/A * @param passwordBytes The bytes that make up the clear-text password. 6045N/A * @return The encoded password string, including the scheme name in curly 6045N/A * @throws DirectoryException If a problem occurs during processing. 6045N/A // Append the salt to the hashed value and base64-the whole thing.