private bool IsSuccessfulLegacyPassword(string hashedPassword, string providedPassword) { if (!string.IsNullOrEmpty(_legacyMachineKeySettings.Value.MachineKeyDecryptionKey)) { try { var decryptedPassword = DecryptLegacyPassword( hashedPassword, _legacyMachineKeySettings.Value.MachineKeyDecryption, _legacyMachineKeySettings.Value.MachineKeyDecryptionKey); return(decryptedPassword == providedPassword); } catch (Exception ex) { _logger.LogError( ex, "Could not decrypt password even that a DecryptionKey is provided. This means the DecryptionKey is wrong."); return(false); } } var result = LegacyPasswordSecurity.VerifyPassword(Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName, providedPassword, hashedPassword); return(result || LegacyPasswordSecurity.VerifyLegacyHashedPassword(providedPassword, hashedPassword)); }
public MemberPasswordHasher(LegacyPasswordSecurity legacyPasswordHasher, IJsonSerializer jsonSerializer) : this( legacyPasswordHasher, jsonSerializer, StaticServiceProvider.Instance.GetRequiredService <IOptions <LegacyPasswordMigrationSettings> >(), StaticServiceProvider.Instance.GetRequiredService <ILogger <MemberPasswordHasher> >()) { }
public MemberPasswordHasher( LegacyPasswordSecurity legacyPasswordHasher, IJsonSerializer jsonSerializer, IOptions <LegacyPasswordMigrationSettings> legacyMachineKeySettings, ILogger <MemberPasswordHasher> logger) : base(legacyPasswordHasher, jsonSerializer) { _legacyMachineKeySettings = legacyMachineKeySettings; _logger = logger; }
public void Get_Stored_Password_Hashed() { IPasswordConfiguration passwordConfiguration = Mock.Of <IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName); var passwordSecurity = new LegacyPasswordSecurity(); var salt = LegacyPasswordSecurity.GenerateSalt(); var stored = salt + "ThisIsAHashedPassword"; var result = passwordSecurity.ParseStoredHashPassword(passwordConfiguration.HashAlgorithmType, stored, out string initSalt); Assert.AreEqual("ThisIsAHashedPassword", result); }
public void Format_Pass_For_Storage_Hashed() { IPasswordConfiguration passwordConfiguration = Mock.Of <IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName); var passwordSecurity = new LegacyPasswordSecurity(); var salt = LegacyPasswordSecurity.GenerateSalt(); var stored = "ThisIsAHashedPassword"; var result = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, stored, salt); Assert.AreEqual(salt + "ThisIsAHashedPassword", result); }
public void Check_Password_Legacy_v4_SHA1() { const string clearText = "ThisIsAHashedPassword"; var clearTextUnicodeBytes = Encoding.Unicode.GetBytes(clearText); using var algorithm = new HMACSHA1(clearTextUnicodeBytes); var dbPassword = Convert.ToBase64String(algorithm.ComputeHash(clearTextUnicodeBytes)); var result = new LegacyPasswordSecurity().VerifyLegacyHashedPassword(clearText, dbPassword); Assert.IsTrue(result); }
public void Check_Password_Hashed_KeyedHashAlgorithm() { IPasswordConfiguration passwordConfiguration = Mock.Of <IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName); var passwordSecurity = new LegacyPasswordSecurity(); var pass = "******"; var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt); var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt); var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword); Assert.IsTrue(result); }
public void Check_Password_Hashed_Non_KeyedHashAlgorithm() { var passwordConfiguration = Mock.Of <IPasswordConfiguration>(x => x.HashAlgorithmType == "SHA1"); var passwordSecurity = new LegacyPasswordSecurity(); var pass = "******"; var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out var salt); var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt); var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword); Assert.IsTrue(result); }
public void Check_Salt_Length() { var lastLength = 0; for (var i = 0; i < 10000; i++) { var result = LegacyPasswordSecurity.GenerateSalt(); if (i > 0) { Assert.AreEqual(lastLength, result.Length); } lastLength = result.Length; } }
/// <summary> /// Verifies a user's hashed password /// </summary> /// <param name="user"></param> /// <param name="hashedPassword"></param> /// <param name="providedPassword"></param> /// <returns></returns> /// <exception cref="InvalidOperationException">Thrown when the correct hashing algorith cannot be determined</exception> public override PasswordVerificationResult VerifyHashedPassword(MemberIdentityUser user, string hashedPassword, string providedPassword) { if (user is null) { throw new ArgumentNullException(nameof(user)); } var isPasswordAlgorithmKnown = user.PasswordConfig.IsNullOrWhiteSpace() == false && user.PasswordConfig != Constants.Security.UnknownPasswordConfigJson; // if there's password config use the base implementation if (isPasswordAlgorithmKnown) { PasswordVerificationResult result = base.VerifyHashedPassword(user, hashedPassword, providedPassword); if (result != PasswordVerificationResult.Failed) { return(result); } } // We need to check for clear text passwords from members as the first thing. This was possible in v8 :( else if (IsSuccessfulLegacyPassword(hashedPassword, providedPassword)) { return(PasswordVerificationResult.SuccessRehashNeeded); } // Else we need to detect what the password is. This will be the case // for upgrades since no password config will exist. byte[]? decodedHashedPassword = null; var isAspNetIdentityHash = false; try { decodedHashedPassword = Convert.FromBase64String(hashedPassword); isAspNetIdentityHash = true; } catch (Exception) { // ignored - decoding throws } // check for default ASP.NET Identity password hash flags if (isAspNetIdentityHash) { if (decodedHashedPassword?[0] == 0x00 || decodedHashedPassword?[0] == 0x01) { return(base.VerifyHashedPassword(user, hashedPassword, providedPassword)); } if (isPasswordAlgorithmKnown) { _logger.LogError("Unable to determine member password hashing algorithm"); } else { _logger.LogDebug( "Unable to determine member password hashing algorithm, but this can happen when member enters a wrong password, before it has be rehashed"); } return(PasswordVerificationResult.Failed); } var isValid = LegacyPasswordSecurity.VerifyPassword( Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName, providedPassword, hashedPassword); return(isValid ? PasswordVerificationResult.SuccessRehashNeeded : PasswordVerificationResult.Failed); }
public BackOfficePasswordHasher(LegacyPasswordSecurity passwordSecurity, IJsonSerializer jsonSerializer) : base(passwordSecurity, jsonSerializer) { }
public UmbracoPasswordHasher(LegacyPasswordSecurity legacyPasswordSecurity, IJsonSerializer jsonSerializer) { LegacyPasswordSecurity = legacyPasswordSecurity ?? throw new ArgumentNullException(nameof(legacyPasswordSecurity)); _jsonSerializer = jsonSerializer ?? throw new ArgumentNullException(nameof(jsonSerializer)); }