whitespace; +svn:eol-style=native

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1754784 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Javen O'Neal 2016-08-01 18:01:24 +00:00
parent 3c77adf9e8
commit 66d7d4ddaa

View File

@ -1,130 +1,130 @@
/* /*
* ==================================================================== * ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with * contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership. * this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0 * The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with * (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at * the License. You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
* ==================================================================== * ====================================================================
*/ */
package org.apache.poi.xssf.usermodel.helpers; package org.apache.poi.xssf.usermodel.helpers;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.util.Arrays; import java.util.Arrays;
import java.util.Locale; import java.util.Locale;
import javax.xml.bind.DatatypeConverter; import javax.xml.bind.DatatypeConverter;
import javax.xml.namespace.QName; import javax.xml.namespace.QName;
import org.apache.poi.poifs.crypt.CryptoFunctions; import org.apache.poi.poifs.crypt.CryptoFunctions;
import org.apache.poi.poifs.crypt.HashAlgorithm; import org.apache.poi.poifs.crypt.HashAlgorithm;
import org.apache.xmlbeans.XmlCursor; import org.apache.xmlbeans.XmlCursor;
import org.apache.xmlbeans.XmlObject; import org.apache.xmlbeans.XmlObject;
public class XSSFPaswordHelper { public class XSSFPaswordHelper {
/** /**
* Sets the XORed or hashed password * Sets the XORed or hashed password
* *
* @param xobj the xmlbeans object which contains the password attributes * @param xobj the xmlbeans object which contains the password attributes
* @param password the password, if null, the password attributes will be removed * @param password the password, if null, the password attributes will be removed
* @param hashAlgo the hash algorithm, if null the password will be XORed * @param hashAlgo the hash algorithm, if null the password will be XORed
* @param prefix the prefix of the password attributes, may be null * @param prefix the prefix of the password attributes, may be null
*/ */
public static void setPassword(XmlObject xobj, String password, HashAlgorithm hashAlgo, String prefix) { public static void setPassword(XmlObject xobj, String password, HashAlgorithm hashAlgo, String prefix) {
XmlCursor cur = xobj.newCursor(); XmlCursor cur = xobj.newCursor();
if (password == null) { if (password == null) {
cur.removeAttribute(getAttrName(prefix, "password")); cur.removeAttribute(getAttrName(prefix, "password"));
cur.removeAttribute(getAttrName(prefix, "algorithmName")); cur.removeAttribute(getAttrName(prefix, "algorithmName"));
cur.removeAttribute(getAttrName(prefix, "hashValue")); cur.removeAttribute(getAttrName(prefix, "hashValue"));
cur.removeAttribute(getAttrName(prefix, "saltValue")); cur.removeAttribute(getAttrName(prefix, "saltValue"));
cur.removeAttribute(getAttrName(prefix, "spinCount")); cur.removeAttribute(getAttrName(prefix, "spinCount"));
return; return;
} }
cur.toFirstContentToken(); cur.toFirstContentToken();
if (hashAlgo == null) { if (hashAlgo == null) {
int hash = CryptoFunctions.createXorVerifier1(password); int hash = CryptoFunctions.createXorVerifier1(password);
cur.insertAttributeWithValue(getAttrName(prefix, "password"), cur.insertAttributeWithValue(getAttrName(prefix, "password"),
String.format(Locale.ROOT, "%04X", hash).toUpperCase(Locale.ROOT)); String.format(Locale.ROOT, "%04X", hash).toUpperCase(Locale.ROOT));
} else { } else {
SecureRandom random = new SecureRandom(); SecureRandom random = new SecureRandom();
byte salt[] = random.generateSeed(16); byte salt[] = random.generateSeed(16);
// Iterations specifies the number of times the hashing function shall be iteratively run (using each // Iterations specifies the number of times the hashing function shall be iteratively run (using each
// iteration's result as the input for the next iteration). // iteration's result as the input for the next iteration).
int spinCount = 100000; int spinCount = 100000;
// Implementation Notes List: // Implementation Notes List:
// --> In this third stage, the reversed byte order legacy hash from the second stage shall // --> In this third stage, the reversed byte order legacy hash from the second stage shall
// be converted to Unicode hex string representation // be converted to Unicode hex string representation
byte hash[] = CryptoFunctions.hashPassword(password, hashAlgo, salt, spinCount, false); byte hash[] = CryptoFunctions.hashPassword(password, hashAlgo, salt, spinCount, false);
cur.insertAttributeWithValue(getAttrName(prefix, "algorithmName"), hashAlgo.jceId); cur.insertAttributeWithValue(getAttrName(prefix, "algorithmName"), hashAlgo.jceId);
cur.insertAttributeWithValue(getAttrName(prefix, "hashValue"), DatatypeConverter.printBase64Binary(hash)); cur.insertAttributeWithValue(getAttrName(prefix, "hashValue"), DatatypeConverter.printBase64Binary(hash));
cur.insertAttributeWithValue(getAttrName(prefix, "saltValue"), DatatypeConverter.printBase64Binary(salt)); cur.insertAttributeWithValue(getAttrName(prefix, "saltValue"), DatatypeConverter.printBase64Binary(salt));
cur.insertAttributeWithValue(getAttrName(prefix, "spinCount"), ""+spinCount); cur.insertAttributeWithValue(getAttrName(prefix, "spinCount"), ""+spinCount);
} }
cur.dispose(); cur.dispose();
} }
/** /**
* Validates the password, i.e. * Validates the password, i.e.
* calculates the hash of the given password and compares it against the stored hash * calculates the hash of the given password and compares it against the stored hash
* *
* @param xobj the xmlbeans object which contains the password attributes * @param xobj the xmlbeans object which contains the password attributes
* @param password the password, if null the method will always return false, * @param password the password, if null the method will always return false,
* even if there's no password set * even if there's no password set
* @param prefix the prefix of the password attributes, may be null * @param prefix the prefix of the password attributes, may be null
* *
* @return true, if the hashes match * @return true, if the hashes match
*/ */
public static boolean validatePassword(XmlObject xobj, String password, String prefix) { public static boolean validatePassword(XmlObject xobj, String password, String prefix) {
// TODO: is "velvetSweatshop" the default password? // TODO: is "velvetSweatshop" the default password?
if (password == null) return false; if (password == null) return false;
XmlCursor cur = xobj.newCursor(); XmlCursor cur = xobj.newCursor();
String xorHashVal = cur.getAttributeText(getAttrName(prefix, "password")); String xorHashVal = cur.getAttributeText(getAttrName(prefix, "password"));
String algoName = cur.getAttributeText(getAttrName(prefix, "algorithmName")); String algoName = cur.getAttributeText(getAttrName(prefix, "algorithmName"));
String hashVal = cur.getAttributeText(getAttrName(prefix, "hashValue")); String hashVal = cur.getAttributeText(getAttrName(prefix, "hashValue"));
String saltVal = cur.getAttributeText(getAttrName(prefix, "saltValue")); String saltVal = cur.getAttributeText(getAttrName(prefix, "saltValue"));
String spinCount = cur.getAttributeText(getAttrName(prefix, "spinCount")); String spinCount = cur.getAttributeText(getAttrName(prefix, "spinCount"));
cur.dispose(); cur.dispose();
if (xorHashVal != null) { if (xorHashVal != null) {
int hash1 = Integer.parseInt(xorHashVal, 16); int hash1 = Integer.parseInt(xorHashVal, 16);
int hash2 = CryptoFunctions.createXorVerifier1(password); int hash2 = CryptoFunctions.createXorVerifier1(password);
return hash1 == hash2; return hash1 == hash2;
} else { } else {
if (hashVal == null || algoName == null || saltVal == null || spinCount == null) { if (hashVal == null || algoName == null || saltVal == null || spinCount == null) {
return false; return false;
} }
byte hash1[] = DatatypeConverter.parseBase64Binary(hashVal); byte hash1[] = DatatypeConverter.parseBase64Binary(hashVal);
HashAlgorithm hashAlgo = HashAlgorithm.fromString(algoName); HashAlgorithm hashAlgo = HashAlgorithm.fromString(algoName);
byte salt[] = DatatypeConverter.parseBase64Binary(saltVal); byte salt[] = DatatypeConverter.parseBase64Binary(saltVal);
int spinCnt = Integer.parseInt(spinCount); int spinCnt = Integer.parseInt(spinCount);
byte hash2[] = CryptoFunctions.hashPassword(password, hashAlgo, salt, spinCnt, false); byte hash2[] = CryptoFunctions.hashPassword(password, hashAlgo, salt, spinCnt, false);
return Arrays.equals(hash1, hash2); return Arrays.equals(hash1, hash2);
} }
} }
private static QName getAttrName(String prefix, String name) { private static QName getAttrName(String prefix, String name) {
if (prefix == null || "".equals(prefix)) { if (prefix == null || "".equals(prefix)) {
return new QName(name); return new QName(name);
} else { } else {
return new QName(prefix+Character.toUpperCase(name.charAt(0))+name.substring(1)); return new QName(prefix+Character.toUpperCase(name.charAt(0))+name.substring(1));
} }
} }
} }