mirrors
/
poi
mirror of https://github.com/apache/poi.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 100 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5763 Commits
24 Branches
Tree: d71574d531
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd71574d531'
${ noResults }
poi/src/ooxml/java/org/apache/poi/xssf/usermodel/helpers/XSSFPaswordHelper.java

XSSFPaswordHelper.java 5.9KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. /*

  2.  *  ====================================================================

  3.  * Licensed to the Apache Software Foundation (ASF) under one or more

  4.  * contributor license agreements.  See the NOTICE file distributed with

  5.  * this work for additional information regarding copyright ownership.

  6.  * The ASF licenses this file to You under the Apache License, Version 2.0

  7.  * (the "License"); you may not use this file except in compliance with

  8.  * the License.  You may obtain a copy of the License at

  9.  *

  10.  * http://www.apache.org/licenses/LICENSE-2.0

  11.  *

  12.  * Unless required by applicable law or agreed to in writing, software

  13.  * distributed under the License is distributed on an "AS IS" BASIS,

  14.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  15.  * See the License for the specific language governing permissions and

  16.  * limitations under the License.

  17.  * ====================================================================

  18.  */

  19. 

  20. package org.apache.poi.xssf.usermodel.helpers;

  21. 

  22. import java.security.SecureRandom;

  23. import java.util.Arrays;

  24. 

  25. import javax.xml.bind.DatatypeConverter;

  26. import javax.xml.namespace.QName;

  27. 

  28. import org.apache.poi.poifs.crypt.CryptoFunctions;

  29. import org.apache.poi.poifs.crypt.HashAlgorithm;

  30. import org.apache.xmlbeans.XmlCursor;

  31. import org.apache.xmlbeans.XmlObject;

  32. 

  33. public class XSSFPaswordHelper {

  34.     /**

  35.      * Sets the XORed or hashed password 

  36.      *

  37.      * @param xobj the xmlbeans object which contains the password attributes

  38.      * @param password the password, if null, the password attributes will be removed

  39.      * @param hashAlgo the hash algorithm, if null the password will be XORed

  40.      * @param prefix the prefix of the password attributes, may be null

  41.      */

  42.     public static void setPassword(XmlObject xobj, String password, HashAlgorithm hashAlgo, String prefix) {

  43.         XmlCursor cur = xobj.newCursor();

  44. 

  45.         if (password == null) {

  46.             cur.removeAttribute(getAttrName(prefix, "password"));

  47.             cur.removeAttribute(getAttrName(prefix, "algorithmName"));

  48.             cur.removeAttribute(getAttrName(prefix, "hashValue"));

  49.             cur.removeAttribute(getAttrName(prefix, "saltValue"));

  50.             cur.removeAttribute(getAttrName(prefix, "spinCount"));

  51.             return;

  52.         } 

  53.         

  54.         cur.toFirstContentToken();

  55.         if (hashAlgo == null) {

  56.             int hash = CryptoFunctions.createXorVerifier1(password);

  57.             cur.insertAttributeWithValue(getAttrName(prefix, "password"), Integer.toHexString(hash).toUpperCase());

  58.         } else {

  59.             SecureRandom random = new SecureRandom(); 

  60.             byte salt[] = random.generateSeed(16);

  61.     

  62.             // Iterations specifies the number of times the hashing function shall be iteratively run (using each

  63.             // iteration's result as the input for the next iteration).

  64.             int spinCount = 100000;

  65. 

  66.             // Implementation Notes List:

  67.             // --> In this third stage, the reversed byte order legacy hash from the second stage shall

  68.             //     be converted to Unicode hex string representation

  69.             byte hash[] = CryptoFunctions.hashPassword(password, hashAlgo, salt, spinCount, false);

  70.             

  71.             cur.insertAttributeWithValue(getAttrName(prefix, "algorithmName"), hashAlgo.jceId); 

  72.             cur.insertAttributeWithValue(getAttrName(prefix, "hashValue"), DatatypeConverter.printBase64Binary(hash));

  73.             cur.insertAttributeWithValue(getAttrName(prefix, "saltValue"), DatatypeConverter.printBase64Binary(salt));

  74.             cur.insertAttributeWithValue(getAttrName(prefix, "spinCount"), ""+spinCount);

  75.         }

  76.         cur.dispose();

  77.     }

  78. 

  79.     /**

  80.      * Validates the password, i.e.

  81.      * calculates the hash of the given password and compares it against the stored hash

  82.      *

  83.      * @param xobj the xmlbeans object which contains the password attributes

  84.      * @param password the password, if null the method will always return false,

  85.      *  even if there's no password set

  86.      * @param prefix the prefix of the password attributes, may be null

  87.      * 

  88.      * @return true, if the hashes match

  89.      */

  90.     public static boolean validatePassword(XmlObject xobj, String password, String prefix) {

  91.         // TODO: is "velvetSweatshop" the default password?

  92.         if (password == null) return false;

  93.         

  94.         XmlCursor cur = xobj.newCursor();

  95.         String xorHashVal = cur.getAttributeText(getAttrName(prefix, "password"));

  96.         String algoName = cur.getAttributeText(getAttrName(prefix, "algorithmName"));

  97.         String hashVal = cur.getAttributeText(getAttrName(prefix, "hashValue"));

  98.         String saltVal = cur.getAttributeText(getAttrName(prefix, "saltValue"));

  99.         String spinCount = cur.getAttributeText(getAttrName(prefix, "spinCount"));

  100.         cur.dispose();

  101. 

  102.         if (xorHashVal != null) {

  103.             int hash1 = Integer.parseInt(xorHashVal, 16);

  104.             int hash2 = CryptoFunctions.createXorVerifier1(password);

  105.             return hash1 == hash2;

  106.         } else {

  107.             if (hashVal == null || algoName == null || saltVal == null || spinCount == null) {

  108.                 return false;

  109.             }

  110.             

  111.             byte hash1[] = DatatypeConverter.parseBase64Binary(hashVal);

  112.             HashAlgorithm hashAlgo = HashAlgorithm.fromString(algoName);

  113.             byte salt[] = DatatypeConverter.parseBase64Binary(saltVal);

  114.             int spinCnt = Integer.parseInt(spinCount);

  115.             byte hash2[] = CryptoFunctions.hashPassword(password, hashAlgo, salt, spinCnt, false);

  116.             return Arrays.equals(hash1, hash2);

  117.         }

  118.     }

  119.     

  120.     

  121.     private static QName getAttrName(String prefix, String name) {

  122.         if (prefix == null || "".equals(prefix)) {

  123.             return new QName(name);

  124.         } else {

  125.             return new QName(prefix+Character.toUpperCase(name.charAt(0))+name.substring(1));

  126.         }

  127.     }

  128. }