From c5821975215ed0a9ab572c698e20b59881a214e9 Mon Sep 17 00:00:00 2001
From: Rashmini <rashmini.dkn@gmail.com>
Date: Thu, 5 Oct 2023 12:02:33 +0530
Subject: [PATCH] Introduce a separate method for hashing

---
 .../ResendConfirmationManager.java            |  6 +++---
 .../password/PasswordRecoveryManagerImpl.java | 10 ++++-----
 .../NotificationPasswordRecoveryManager.java  | 21 ++++++++++---------
 .../carbon/identity/recovery/util/Utils.java  | 13 ++++++++++++
 4 files changed, 32 insertions(+), 18 deletions(-)

diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/confirmation/ResendConfirmationManager.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/confirmation/ResendConfirmationManager.java
index fb551490d4..248746a5d4 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/confirmation/ResendConfirmationManager.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/confirmation/ResendConfirmationManager.java
@@ -47,10 +47,10 @@
 import org.wso2.carbon.identity.recovery.store.JDBCRecoveryDataStore;
 import org.wso2.carbon.identity.recovery.store.UserRecoveryDataStore;
 import org.wso2.carbon.identity.recovery.util.Utils;
-import org.wso2.carbon.user.api.UserStoreException;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URISyntaxException;
+import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.UUID;
 
@@ -183,8 +183,8 @@ public ResendConfirmationDTO resendConfirmation(String tenantDomain, String rese
             confirmationCode = Utils.concatRecoveryFlowIdWithSecretKey(recoveryFlowId, notificationChannel,
                     confirmationCode);
             try {
-                hashedConfirmationCode = Utils.doHash(confirmationCode);
-            } catch (UserStoreException e) {
+                hashedConfirmationCode = Utils.hashCode(confirmationCode);
+            } catch (NoSuchAlgorithmException e) {
                 throw Utils.handleServerException(
                         IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NO_HASHING_ALGO_FOR_CODE, null);
             }
diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java
index 0e3fbfc515..203d76d89c 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java
@@ -54,8 +54,8 @@
 import org.wso2.carbon.identity.user.functionality.mgt.UserFunctionalityManager;
 import org.wso2.carbon.identity.user.functionality.mgt.exception.UserFunctionalityManagementException;
 import org.wso2.carbon.identity.user.functionality.mgt.model.FunctionalityLockStatus;
-import org.wso2.carbon.user.api.UserStoreException;
 
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Map;
 import java.util.UUID;
@@ -195,10 +195,10 @@ public PasswordResetCodeDTO confirm(String confirmationCode, String tenantDomain
         // Get Recovery data.
         UserRecoveryData userRecoveryData;
         try {
-            String hashedConfirmationCode = Utils.doHash(confirmationCode);
+            String hashedConfirmationCode = Utils.hashCode(confirmationCode);
             userRecoveryData = userAccountRecoveryManager
                     .getUserRecoveryData(hashedConfirmationCode, RecoverySteps.UPDATE_PASSWORD);
-        } catch (UserStoreException e) {
+        } catch (NoSuchAlgorithmException e) {
             throw Utils.handleServerException(
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NO_HASHING_ALGO_FOR_CODE, null);
         } catch (IdentityRecoveryException e) {
@@ -260,8 +260,8 @@ public PasswordResetCodeDTO confirm(String otp, String confirmationCode, String
                     userRecoveryData.getUser().getUserStoreDomain());
             String hashedCode;
             try {
-                hashedCode = Utils.doHash(code);
-            } catch (UserStoreException e) {
+                hashedCode = Utils.hashCode(code);
+            } catch (NoSuchAlgorithmException e) {
                 throw Utils.handleServerException(
                         IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NO_HASHING_ALGO_FOR_CODE, null);
             }
diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
index b0667c33c0..196811355a 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
@@ -65,6 +65,7 @@
 
 import java.io.UnsupportedEncodingException;
 import java.net.URISyntaxException;
+import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -262,8 +263,8 @@ private UserRecoveryData generateNewConfirmationCode(User user, String notificat
                 RecoveryScenarios.NOTIFICATION_BASED_PW_RECOVERY.name());
         secretKey = Utils.concatRecoveryFlowIdWithSecretKey(recoveryFlowId, notificationChannel, secretKey);
         try {
-            hashedSecretKey = Utils.doHash(secretKey);
-        } catch (UserStoreException e) {
+            hashedSecretKey = Utils.hashCode(secretKey);
+        } catch (NoSuchAlgorithmException e) {
             throw Utils.handleServerException(
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NO_HASHING_ALGO_FOR_CODE, null);
         }
@@ -583,9 +584,9 @@ public User updateUserPassword(String code, String password, Property[] properti
         UserRecoveryDataStore userRecoveryDataStore = JDBCRecoveryDataStore.getInstance();
         UserRecoveryData userRecoveryData;
         try {
-            String hashedCode = Utils.doHash(code);
+            String hashedCode = Utils.hashCode(code);
             userRecoveryData = userRecoveryDataStore.load(hashedCode);
-        } catch (UserStoreException e) {
+        } catch (NoSuchAlgorithmException e) {
             throw Utils.handleServerException(
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NO_HASHING_ALGO_FOR_CODE, null);
         } catch (IdentityRecoveryException e) {
@@ -692,13 +693,13 @@ public User updateUserPassword(String code, String confirmationCode, String pass
 
             String hashedCode;
             try {
-                hashedCode = Utils.doHash(code);
-            } catch (UserStoreException e) {
+                hashedCode = Utils.hashCode(code);
+            } catch (NoSuchAlgorithmException e) {
                 throw Utils.handleServerException(
                         IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NO_HASHING_ALGO_FOR_CODE, null);
             }
-            if (!StringUtils.equals(hashedCode, userRecoveryData.getSecret()) && !StringUtils.equals(code,
-                    userRecoveryData.getSecret())) {
+            if (!(StringUtils.equals(hashedCode, userRecoveryData.getSecret()) || StringUtils.equals(code,
+                    userRecoveryData.getSecret()))) {
                 if ((failedAttempts + 1) >= Integer.parseInt(Utils.getRecoveryConfigs(IdentityRecoveryConstants.
                         ConnectorConfig.RECOVERY_OTP_PASSWORD_MAX_FAILED_ATTEMPTS, userRecoveryData.getUser().
                         getTenantDomain()))) {
@@ -1076,9 +1077,9 @@ public User getValidatedUser(String code, String recoveryStep) throws IdentityRe
         UserRecoveryDataStore userRecoveryDataStore = JDBCRecoveryDataStore.getInstance();
         UserRecoveryData userRecoveryData;
         try {
-            String hashedCode = Utils.doHash(code);
+            String hashedCode = Utils.hashCode(code);
             userRecoveryData = userRecoveryDataStore.load(hashedCode);
-        } catch (UserStoreException e) {
+        } catch (NoSuchAlgorithmException e) {
             throw Utils.handleServerException(
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NO_HASHING_ALGO_FOR_CODE, null);
         } catch (IdentityRecoveryException e) {
diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java
index ac4d242ab2..254895a9c4 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java
@@ -427,6 +427,19 @@ public static String doHash(String value) throws UserStoreException {
         }
     }
 
+    /**
+     * @param value     Value to be hashed
+     * @return          Hashed value
+     * @throws NoSuchAlgorithmException If the algorithm is not found.
+     */
+    public static String hashCode(String value) throws NoSuchAlgorithmException {
+
+        String digsestFunction = "SHA-256";
+        MessageDigest dgst = MessageDigest.getInstance(digsestFunction);
+        byte[] byteValue = dgst.digest(value.getBytes(StandardCharsets.UTF_8));
+        return Base64.encode(byteValue);
+    }
+
     /**
      * Set claim to user store manager
      *