mirror of
https://github.com/github/codeql.git
synced 2025-12-18 18:10:39 +01:00
148 lines
6.3 KiB
Java
148 lines
6.3 KiB
Java
import java.security.MessageDigest;
|
|
import java.security.NoSuchAlgorithmException;
|
|
import java.security.SecureRandom;
|
|
import java.util.Base64;
|
|
|
|
public class HashWithoutSalt {
|
|
// BAD - Hash without a salt.
|
|
public String getSHA256Hash(String password) throws NoSuchAlgorithmException {
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
byte[] messageDigest = md.digest(password.getBytes());
|
|
return Base64.getEncoder().encodeToString(messageDigest);
|
|
}
|
|
|
|
// GOOD - Hash with a salt.
|
|
public String getSHA256Hash(String password, byte[] salt) throws NoSuchAlgorithmException {
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
md.update(salt);
|
|
byte[] messageDigest = md.digest(password.getBytes());
|
|
return Base64.getEncoder().encodeToString(messageDigest);
|
|
}
|
|
|
|
// BAD - Hash without a salt.
|
|
public String getSHA256Hash2(String password) throws NoSuchAlgorithmException {
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
md.update(password.getBytes());
|
|
byte[] messageDigest = md.digest();
|
|
return Base64.getEncoder().encodeToString(messageDigest);
|
|
}
|
|
|
|
// GOOD - Hash with a salt.
|
|
public String getSHA256Hash2(String password, byte[] salt) throws NoSuchAlgorithmException {
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
md.update(salt);
|
|
md.update(password.getBytes());
|
|
byte[] messageDigest = md.digest();
|
|
return Base64.getEncoder().encodeToString(messageDigest);
|
|
}
|
|
|
|
// GOOD - Hash with a salt concatenated with the password.
|
|
public String getSHA256Hash3(String password, byte[] salt) throws NoSuchAlgorithmException {
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
|
|
byte[] passBytes = password.getBytes();
|
|
byte[] allBytes = new byte[passBytes.length + salt.length];
|
|
System.arraycopy(passBytes, 0, allBytes, 0, passBytes.length);
|
|
System.arraycopy(salt, 0, allBytes, passBytes.length, salt.length);
|
|
byte[] messageDigest = md.digest(allBytes);
|
|
|
|
byte[] cipherBytes = new byte[32 + salt.length]; // SHA-256 is 32 bytes long
|
|
System.arraycopy(messageDigest, 0, cipherBytes, 0, 32);
|
|
System.arraycopy(salt, 0, cipherBytes, 32, salt.length);
|
|
return Base64.getEncoder().encodeToString(cipherBytes);
|
|
}
|
|
|
|
// GOOD - Hash with a given salt stored somewhere else.
|
|
public String getSHA256Hash(String password, String salt) throws NoSuchAlgorithmException {
|
|
MessageDigest alg = MessageDigest.getInstance("SHA-256");
|
|
String payload = password+":"+salt;
|
|
return Base64.getEncoder().encodeToString(alg.digest(payload.getBytes(java.nio.charset.StandardCharsets.UTF_8)));
|
|
}
|
|
|
|
// GOOD - Hash with a given salt stored somewhere else.
|
|
public String getSHA256Hash2(String password, String salt, boolean useSalt) throws NoSuchAlgorithmException {
|
|
MessageDigest alg = MessageDigest.getInstance("SHA-256");
|
|
String payload = useSalt?password+":"+salt:password;
|
|
return Base64.getEncoder().encodeToString(alg.digest(payload.getBytes(java.nio.charset.StandardCharsets.UTF_8)));
|
|
}
|
|
|
|
// GOOD - Hash with a salt for a variable named passwordHash, whose value is a hash used as an input for a hashing function.
|
|
public String getSHA256Hash3(String passwordHash) throws NoSuchAlgorithmException {
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
byte[] messageDigest = md.digest(passwordHash.getBytes());
|
|
return Base64.getEncoder().encodeToString(messageDigest);
|
|
}
|
|
|
|
public void update(SHA256 sha256, byte[] foo, int start, int len) throws NoSuchAlgorithmException {
|
|
sha256.update(foo, start, len);
|
|
}
|
|
|
|
// GOOD - Invoking a wrapper implementation through qualifier with a salt.
|
|
public String getWrapperSHA256Hash(String password) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
|
|
SHA256 sha256 = new SHA256();
|
|
byte[] salt = getSalt();
|
|
byte[] passBytes = password.getBytes();
|
|
sha256.update(passBytes, 0, passBytes.length);
|
|
sha256.update(salt, 0, salt.length);
|
|
return Base64.getEncoder().encodeToString(sha256.digest());
|
|
}
|
|
|
|
// BAD - Invoking a wrapper implementation through qualifier without a salt.
|
|
public String getWrapperSHA256Hash2(String password) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
|
|
SHA256 sha256 = new SHA256();
|
|
byte[] passBytes = password.getBytes();
|
|
sha256.update(passBytes, 0, passBytes.length);
|
|
return Base64.getEncoder().encodeToString(sha256.digest());
|
|
}
|
|
|
|
// GOOD - Invoking a wrapper implementation through qualifier and argument with a salt.
|
|
public String getWrapperSHA256Hash3(String password) throws NoSuchAlgorithmException {
|
|
SHA256 sha256 = new SHA256();
|
|
byte[] salt = getSalt();
|
|
byte[] passBytes = password.getBytes();
|
|
sha256.update(passBytes, 0, passBytes.length);
|
|
update(sha256, salt, 0, salt.length);
|
|
return Base64.getEncoder().encodeToString(sha256.digest());
|
|
}
|
|
|
|
// BAD - Invoking a wrapper implementation through argument without a salt.
|
|
public String getWrapperSHA256Hash4(String password) throws NoSuchAlgorithmException {
|
|
SHA256 sha256 = new SHA256();
|
|
byte[] passBytes = password.getBytes();
|
|
update(sha256, passBytes, 0, passBytes.length);
|
|
return Base64.getEncoder().encodeToString(sha256.digest());
|
|
}
|
|
|
|
// GOOD - Invoking a wrapper implementation through argument with a salt.
|
|
public String getWrapperSHA256Hash5(String password) throws NoSuchAlgorithmException {
|
|
SHA256 sha256 = new SHA256();
|
|
byte[] salt = getSalt();
|
|
byte[] passBytes = password.getBytes();
|
|
update(sha256, passBytes, 0, passBytes.length);
|
|
update(sha256, salt, 0, salt.length);
|
|
return Base64.getEncoder().encodeToString(sha256.digest());
|
|
}
|
|
|
|
// BAD - Invoke a wrapper implementation with a salt, which is not detected with an interface type variable.
|
|
public String getSHA512Hash8(byte[] passphrase) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
|
|
Class c = Class.forName("SHA512");
|
|
HASH sha512 = (HASH) (c.newInstance());
|
|
byte[] tmp = new byte[4];
|
|
byte[] key = new byte[32 * 2];
|
|
for (int i = 0; i < 2; i++) {
|
|
sha512.init();
|
|
tmp[3] = (byte) i;
|
|
sha512.update(passphrase, 0, passphrase.length);
|
|
System.arraycopy(sha512.digest(), 0, key, i * 32, 32);
|
|
}
|
|
return Base64.getEncoder().encodeToString(key);
|
|
}
|
|
|
|
public static byte[] getSalt() throws NoSuchAlgorithmException {
|
|
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
|
|
byte[] salt = new byte[16];
|
|
sr.nextBytes(salt);
|
|
return salt;
|
|
}
|
|
}
|