org.opends.server.extensions

Class PKCS5S2PasswordStorageScheme

java.lang.Object

org.opends.server.api.PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

org.opends.server.extensions.PKCS5S2PasswordStorageScheme

public class PKCS5S2PasswordStorageScheme
extends PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

This class defines a Directory Server password storage scheme based on the Atlassian PBKF2-base hash algorithm. This is a one-way digest algorithm so there is no way to retrieve the original clear-text version of the password from the hashed value (although this means that it is not suitable for things that need the clear-text password like DIGEST-MD5). Unlike the other PBKF2-base scheme, this implementation uses a fixed number of iterations.

Constructor Summary

Constructors

Constructor and Description
PKCS5S2PasswordStorageScheme()

Method Summary

Modifier and Type	Method and Description
boolean	authPasswordMatches(ByteSequence plaintextPassword, String authInfo, String authValue) Indicates whether the provided plaintext password matches the encoded password using the authentication password syntax with the given authInfo and authValue components.
ByteString	encodeAuthPassword(ByteSequence plaintext) Encodes the provided plaintext password for this storage scheme using the authentication password syntax defined in RFC 3112.
static String	encodeOffline(byte[] passwordBytes) Generates an encoded password string from the given clear-text password.
ByteString	encodePassword(ByteSequence plaintext) Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme.
String	getAuthPasswordSchemeName() Retrieves the scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax.
String	getStorageSchemeName() Retrieves the name of the password storage scheme provided by this handler.
void	initializePasswordStorageScheme(Pkcs5s2PasswordStorageSchemeCfg configuration) Initializes this password storage scheme handler based on the information in the provided configuration entry.
boolean	isStorageSchemeSecure() Indicates whether this password storage scheme should be considered "secure".
boolean	passwordMatches(ByteSequence plaintextPassword, ByteSequence storedPassword) Indicates whether the provided plaintext password included in a bind request matches the given stored value.
boolean	supportsAuthPasswordSyntax() Indicates whether this password storage scheme supports the ability to interact with values using the authentication password syntax defined in RFC 3112.

Methods inherited from class org.opends.server.api.PasswordStorageScheme

destroySilently, encodePasswordWithScheme, finalizePasswordStorageScheme, getAuthPasswordPlaintextValue, getPlaintextValue, isConfigurationAcceptable, isReversible

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PKCS5S2PasswordStorageScheme

public PKCS5S2PasswordStorageScheme()

Method Detail

initializePasswordStorageScheme

public void initializePasswordStorageScheme(Pkcs5s2PasswordStorageSchemeCfg configuration)
                                     throws InitializationException

Description copied from class: PasswordStorageScheme

Initializes this password storage scheme handler based on the information in the provided configuration entry. It should also register itself with the Directory Server for the particular storage scheme that it will manage.

Specified by:

initializePasswordStorageScheme in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Parameters:

configuration - The configuration entry that contains the information to use to initialize this password storage scheme handler.

Throws:

InitializationException - If a problem occurs during initialization that is not related to the server configuration.

getStorageSchemeName

public String getStorageSchemeName()

Description copied from class: PasswordStorageScheme

Retrieves the name of the password storage scheme provided by this handler.

Specified by:

getStorageSchemeName in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Returns:

The name of the password storage scheme provided by this handler.

encodePassword

public ByteString encodePassword(ByteSequence plaintext)
                          throws LdapException

Description copied from class: PasswordStorageScheme

Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme. Note that the provided plaintext password should not be altered in any way.

Specified by:

encodePassword in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Parameters:

plaintext - The plaintext version of the password.

Returns:

The password that has been encoded using this storage scheme.

Throws:

LdapException - If a problem occurs while processing.

passwordMatches

public boolean passwordMatches(ByteSequence plaintextPassword,
                               ByteSequence storedPassword)

Description copied from class: PasswordStorageScheme

Indicates whether the provided plaintext password included in a bind request matches the given stored value. The provided stored value should not include the scheme name in curly braces.

Specified by:

passwordMatches in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Parameters:

plaintextPassword - The plaintext password provided by the user as part of a simple bind attempt.

storedPassword - The stored password to compare against the provided plaintext password.

Returns:

true if the provided plaintext password matches the provided stored password, or false if not.

supportsAuthPasswordSyntax

public boolean supportsAuthPasswordSyntax()

Description copied from class: PasswordStorageScheme

Indicates whether this password storage scheme supports the ability to interact with values using the authentication password syntax defined in RFC 3112.

Overrides:

supportsAuthPasswordSyntax in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Returns:

true if this password storage scheme supports the ability to interact with values using the authentication password syntax, or false if it does not.

getAuthPasswordSchemeName

public String getAuthPasswordSchemeName()

Description copied from class: PasswordStorageScheme

Retrieves the scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax. This default implementation will return the same value as the getStorageSchemeName method.

Overrides:

getAuthPasswordSchemeName in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Returns:

The scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax.

encodeAuthPassword

public ByteString encodeAuthPassword(ByteSequence plaintext)
                              throws LdapException

Description copied from class: PasswordStorageScheme

Encodes the provided plaintext password for this storage scheme using the authentication password syntax defined in RFC 3112. Note that the provided plaintext password should not be altered in any way.

Overrides:

encodeAuthPassword in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Parameters:

plaintext - The plaintext version of the password.

Returns:

The password that has been encoded in the authentication password syntax.

Throws:

LdapException - If a problem occurs while processing of if this storage scheme does not support the authentication password syntax.

authPasswordMatches

public boolean authPasswordMatches(ByteSequence plaintextPassword,
                                   String authInfo,
                                   String authValue)

Description copied from class: PasswordStorageScheme

Indicates whether the provided plaintext password matches the encoded password using the authentication password syntax with the given authInfo and authValue components.

Overrides:

authPasswordMatches in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Parameters:

plaintextPassword - The plaintext password provided by the user.

authInfo - The authInfo component of the password encoded in the authentication password syntax.

authValue - The authValue component of the password encoded in the authentication password syntax.

Returns:

true if the provided plaintext password matches the encoded password according to the authentication password info syntax, or false if it does not or this storage scheme does not support the authentication password syntax.

isStorageSchemeSecure

public boolean isStorageSchemeSecure()

Description copied from class: PasswordStorageScheme

Indicates whether this password storage scheme should be considered "secure". If the encoding used for this scheme does not obscure the value at all, or if it uses a method that is trivial to reverse (e.g., base64), then it should not be considered secure.

This may be used to determine whether a password may be included in a set of search results, including the possibility of overriding access controls in the case that access controls would allow the password to be returned but the password is considered too insecure to reveal.

Specified by:

isStorageSchemeSecure in class PasswordStorageScheme<Pkcs5s2PasswordStorageSchemeCfg>

Returns:

false if it may be trivial to discover the original plain-text password from the encoded form, or true if the scheme offers sufficient protection that revealing the encoded password will not easily reveal the corresponding plain-text value.

encodeOffline

public static String encodeOffline(byte[] passwordBytes)
                            throws LdapException

Generates an encoded password string from the given clear-text password. This method is primarily intended for use when it is necessary to generate a password with the server offline (e.g., when setting the initial root user password).

Parameters:

passwordBytes - The bytes that make up the clear-text password.

Returns:

The encoded password string, including the scheme name in curly braces.

Throws:

LdapException - If a problem occurs during processing.