[jira] [Updated] (SYNCOPE-513) Make value encryption parametric

[JIRA]

     [ 
https://issues.apache.org/jira/browse/SYNCOPE-513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Francesco Chicchiriccò updated SYNCOPE-513:
-------------------------------------------

    Description: 
In {{PasswordEncoder}} (1.1.X) / {{Encryptor}} (1.2.X) class the salt mechanism 
configuration is hardcoded
If the LDAP server doesn't use the same salt mechanism configuration, the 
password can't be matched during authentication.

For example {{SSHA}} is defined by RFC 2307 as:
{code}
digester.setIterations(1);
digester.setSaltSizeBytes(8);
digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);
digester.setUseLenientSaltSizeCheck(true);
{code}

See [Jasypt's 
javadocs|http://jasypt.org/api/jasypt/1.9.2/org/jasypt/util/password/rfc2307/RFC2307SSHAPasswordEncryptor.html]
 for more details.

{{Encryptor}} can read from global configuration parameters so that you can 
configure some aspect of the way how ciphered values (not only password values 
in 1.2.X).

  was:
In {{PasswordEncoder}} (1.1.X) / {{Encryptor}} (1.2.X) class the salt mechanism 
configuration is hardcoded
If the LDAP server doesn't use the same salt mechanism configuration, the 
password can't be matched during authentication.

For example SSHA digest from OpenDJ uses a suffixed 8 bytes salt (in hash and 
plan)

Original:
{code}
            digester.setIterations(100000);
            digester.setSaltSizeBytes(16);
{code}

Modified for OpenDJ:
{code}
            digester.setIterations(1);
            digester.setSaltSizeBytes(8);
            digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
            digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);
{code}

{{Encryptor}} can read from global configuration parameters so that you can 
configure some aspect of the way how ciphered values (not only password values 
in 1.2.X).


> Make value encryption parametric
> --------------------------------
>
>                 Key: SYNCOPE-513
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-513
>             Project: Syncope
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.1.8
>            Reporter: Yann Diorcet
>            Assignee: Francesco Chicchiriccò
>             Fix For: 1.2.0
>
>
> In {{PasswordEncoder}} (1.1.X) / {{Encryptor}} (1.2.X) class the salt 
> mechanism configuration is hardcoded
> If the LDAP server doesn't use the same salt mechanism configuration, the 
> password can't be matched during authentication.
> For example {{SSHA}} is defined by RFC 2307 as:
> {code}
> digester.setIterations(1);
> digester.setSaltSizeBytes(8);
> digester.setInvertPositionOfPlainSaltInEncryptionResults(true);
> digester.setInvertPositionOfSaltInMessageBeforeDigesting(true);
> digester.setUseLenientSaltSizeCheck(true);
> {code}
> See [Jasypt's 
> javadocs|http://jasypt.org/api/jasypt/1.9.2/org/jasypt/util/password/rfc2307/RFC2307SSHAPasswordEncryptor.html]
>  for more details.
> {{Encryptor}} can read from global configuration parameters so that you can 
> configure some aspect of the way how ciphered values (not only password 
> values in 1.2.X).



--
This message was sent by Atlassian JIRA
(v6.2#6252)