Enhance pbkdf2 password hashing

Fallback to PBKDF2WithHmacSHA1 added depricated doc Update security documentation for Password validation Update security documentation for Password validation Update security documentation for Password validation fix remove colon Removed redundant statement reinstated malformed check
prestodb · Dec 5, 2024 · 4f51da0 · 4f51da0
1 parent 2f4ea64
commit 4f51da0
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 2 deletions.
diff --git a/presto-docs/src/main/sphinx/security/password-file.rst b/presto-docs/src/main/sphinx/security/password-file.rst
@@ -36,6 +36,42 @@ Property                             Description
                                      Defaults to ``1000``.
 ==================================== ==============================================
 
+Password Validation
+-------------------
+
+Password validation in Presto supports both `PBKDF2WithHmacSHA256` and `PBKDF2WithHmacSHA1` algorithms. 
+To ensure modern cryptographic standards, clients are encouraged to use `PBKDF2WithHmacSHA256`. 
+A fallback mechanism is available to maintain compatibility with legacy systems using `PBKDF2WithHmacSHA1`.
+
+Migration to `PBKDF2WithHmacSHA256` is strongly recommended to maintain security.
+
+API Method
+^^^^^^^^^^
+The following method uses the `PBKDF2WithHmacSHA256` validation mechanism and includes a fallback mechanism:
+
+.. code-block:: java
+
+    /**
+     * @Deprecated using PBKDF2WithHmacSHA1 is deprecated and clients should switch to PBKDF2WithHmacSHA256
+     */
+    public static boolean doesPBKDF2PasswordMatch(String inputPassword, String hashedPassword)
+    {
+        PBKDF2Password password = PBKDF2Password.fromString(hashedPassword);
+
+        // Validate using PBKDF2WithHmacSHA256
+        if (validatePBKDF2Password(inputPassword, password, "PBKDF2WithHmacSHA256")) {
+            return true;
+        }
+
+        // Fallback to PBKDF2WithHmacSHA1
+        LOG.warn("Using deprecated PBKDF2WithHmacSHA1 for password validation.");
+        return validatePBKDF2Password(inputPassword, password, "PBKDF2WithHmacSHA1");
+    }
+
+**Fallback Mechanism**
+
+If `PBKDF2WithHmacSHA256` fails for legacy reasons, the system gracefully falls back to `PBKDF2WithHmacSHA1` while logging a warning.
+
 Password Files
 --------------
 

diff --git a/...ssword-authenticators/src/main/java/com/facebook/presto/password/file/EncryptionUtil.java b/...ssword-authenticators/src/main/java/com/facebook/presto/password/file/EncryptionUtil.java
@@ -15,6 +15,7 @@
 
 import at.favre.lib.crypto.bcrypt.BCrypt;
 import at.favre.lib.crypto.bcrypt.IllegalBCryptFormatException;
+import com.facebook.airlift.log.Logger;
 import com.google.common.base.Splitter;
 
 import javax.crypto.SecretKeyFactory;
@@ -33,6 +34,7 @@
 
 public final class EncryptionUtil
 {
+    private static final Logger LOG = Logger.get(EncryptionUtil.class);
     private static final int BCRYPT_MIN_COST = 8;
     private static final int PBKDF2_MIN_ITERATIONS = 1000;
 
@@ -58,14 +60,29 @@ public static boolean doesBCryptPasswordMatch(String inputPassword, String hashe
         return BCrypt.verifyer().verify(inputPassword.toCharArray(), hashedPassword).verified;
     }
 
+    /**
+     * @Deprecated using PBKDF2WithHmacSHA1 is deprecated and clients should switch to PBKDF2WithHmacSHA256
+     */
     public static boolean doesPBKDF2PasswordMatch(String inputPassword, String hashedPassword)
     {
         PBKDF2Password password = PBKDF2Password.fromString(hashedPassword);
 
+        // Validate using PBKDF2WithHmacSHA256
+        if (validatePBKDF2Password(inputPassword, password, "PBKDF2WithHmacSHA256")) {
+            return true;
+        }
+
+        // Fallback to PBKDF2WithHmacSHA1
+        LOG.warn("Using deprecated PBKDF2WithHmacSHA1 for password validation.");
+        return validatePBKDF2Password(inputPassword, password, "PBKDF2WithHmacSHA1");
+    }
+
+    private static boolean validatePBKDF2Password(String inputPassword, PBKDF2Password password, String algorithm)
+    {
         try {
             KeySpec spec = new PBEKeySpec(inputPassword.toCharArray(), password.salt(), password.iterations(), password.hash().length * 8);
-            SecretKeyFactory key = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
-            byte[] inputHash = key.generateSecret(spec).getEncoded();
+            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(algorithm);
+            byte[] inputHash = keyFactory.generateSecret(spec).getEncoded();
 
             if (password.hash().length != inputHash.length) {
                 throw new HashedPasswordException("PBKDF2 password input is malformed");