nopSolutions#295 Use more secure password hashing algorithm

williamzhou1216 · Jul 27, 2017 · 3ff30b3 · 3ff30b3
1 parent d34b60a
commit 3ff30b3
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 13 deletions.
diff --git a/src/Libraries/Nop.Core/Domain/Customers/CustomerSettings.cs b/src/Libraries/Nop.Core/Domain/Customers/CustomerSettings.cs
@@ -23,7 +23,7 @@ public class CustomerSettings : ISettings
         /// </summary>
         public PasswordFormat DefaultPasswordFormat { get; set; }
         /// <summary>
-        /// Gets or sets a customer password format (SHA1, MD5) when passwords are hashed
+        /// Gets or sets a customer password format (SHA1, MD5) when passwords are hashed (DO NOT edit in production environment)
         /// </summary>
         public string HashedPasswordFormat { get; set; }
         /// <summary>

diff --git a/src/Libraries/Nop.Services/ExportImport/ImportManager.cs b/src/Libraries/Nop.Services/ExportImport/ImportManager.cs
@@ -37,6 +37,9 @@ public partial class ImportManager : IImportManager
     {
         #region Fields
 
+        //it's quite fast hash (to cheaply distinguish between objects)
+        private const string IMAGE_HASH_ALGORITHM = "SHA1";
+
         private readonly IProductService _productService;
         private readonly IProductAttributeService _productAttributeService;
         private readonly ICategoryService _categoryService;
@@ -260,8 +263,8 @@ protected virtual void ImportProductImagesUsingHash(IList<ProductPictureMetadata
                     var pictureAlreadyExists = false;
                     if (!product.IsNew)
                     {
-                        var newImageHash = _encryptionService.CreateHash(newPictureBinary.Take(takeCount).ToArray());
-                        var newValidatedImageHash = _encryptionService.CreateHash(_pictureService.ValidatePicture(newPictureBinary, mimeType).Take(takeCount).ToArray());
+                        var newImageHash = _encryptionService.CreateHash(newPictureBinary.Take(takeCount).ToArray(), IMAGE_HASH_ALGORITHM);
+                        var newValidatedImageHash = _encryptionService.CreateHash(_pictureService.ValidatePicture(newPictureBinary, mimeType).Take(takeCount).ToArray(), IMAGE_HASH_ALGORITHM);
 
                         var imagesIds = productsImagesIds.ContainsKey(product.ProductItem.Id)
                             ? productsImagesIds[product.ProductItem.Id]

diff --git a/src/Libraries/Nop.Services/Installation/CodeFirstInstallationService.cs b/src/Libraries/Nop.Services/Installation/CodeFirstInstallationService.cs
@@ -6063,7 +6063,7 @@ protected virtual void InstallSettings(bool installSampleData)
                 CheckUsernameAvailabilityEnabled = false,
                 AllowUsersToChangeUsernames = false,
                 DefaultPasswordFormat = PasswordFormat.Hashed,
-                HashedPasswordFormat = "SHA1",
+                HashedPasswordFormat = "SHA512",
                 PasswordMinLength = 6,
                 UnduplicatedPasswordsNumber = 4,
                 PasswordRecoveryLinkDaysValid = 7,

diff --git a/src/Libraries/Nop.Services/Security/EncryptionService.cs b/src/Libraries/Nop.Services/Security/EncryptionService.cs
@@ -39,7 +39,7 @@ public virtual string CreateSaltKey(int size)
         /// <param name="saltkey">Salk key</param>
         /// <param name="passwordFormat">Password format (hash algorithm)</param>
         /// <returns>Password hash</returns>
-        public virtual string CreatePasswordHash(string password, string saltkey, string passwordFormat = "SHA1")
+        public virtual string CreatePasswordHash(string password, string saltkey, string passwordFormat)
         {
             return CreateHash(Encoding.UTF8.GetBytes(String.Concat(password, saltkey)), passwordFormat);
         }
@@ -50,10 +50,10 @@ public virtual string CreatePasswordHash(string password, string saltkey, string
         /// <param name="data">The data for calculating the hash</param>
         /// <param name="hashAlgorithm">Hash algorithm</param>
         /// <returns>Data hash</returns>
-        public virtual string CreateHash(byte[] data, string hashAlgorithm = "SHA1")
+        public virtual string CreateHash(byte[] data, string hashAlgorithm)
         {
             if (String.IsNullOrEmpty(hashAlgorithm))
-                hashAlgorithm = "SHA1";
+                throw new ArgumentNullException(nameof(hashAlgorithm));
 
             var algorithm = HashAlgorithm.Create(hashAlgorithm);
             if (algorithm == null)

diff --git a/src/Libraries/Nop.Services/Security/IEncryptionService.cs b/src/Libraries/Nop.Services/Security/IEncryptionService.cs
@@ -17,15 +17,15 @@ public interface IEncryptionService
         /// <param name="saltkey">Salk key</param>
         /// <param name="passwordFormat">Password format (hash algorithm)</param>
         /// <returns>Password hash</returns>
-        string CreatePasswordHash(string password, string saltkey, string passwordFormat = "SHA1");
+        string CreatePasswordHash(string password, string saltkey, string passwordFormat);
 
         /// <summary>
         /// Create a data hash
         /// </summary>
         /// <param name="data">The data for calculating the hash</param>
         /// <param name="hashAlgorithm">Hash algorithm</param>
         /// <returns>Data hash</returns>
-        string CreateHash(byte [] data, string hashAlgorithm = "SHA1");
+        string CreateHash(byte [] data, string hashAlgorithm);
 
         /// <summary>
         /// Encrypt text

diff --git a/src/Tests/Nop.Services.Tests/Customers/CustomerRegistrationServiceTests.cs b/src/Tests/Nop.Services.Tests/Customers/CustomerRegistrationServiceTests.cs
@@ -113,7 +113,7 @@ public class CustomerRegistrationServiceTests : ServiceTest
 
             _customerPasswordRepo = MockRepository.GenerateMock<IRepository<CustomerPassword>>();
             string saltKey = _encryptionService.CreateSaltKey(5);
-            string password = _encryptionService.CreatePasswordHash("password", saltKey);
+            string password = _encryptionService.CreatePasswordHash("password", saltKey, "SHA512");
             var password1 = new CustomerPassword
             {
                 CustomerId = customer1.Id,

diff --git a/src/Tests/Nop.Services.Tests/Security/EncryptionServiceTests.cs b/src/Tests/Nop.Services.Tests/Security/EncryptionServiceTests.cs
@@ -22,15 +22,23 @@ public class EncryptionServiceTests : ServiceTest
         }
 
         [Test]
-        public void Can_hash() 
+        public void Can_hash_sha1()
         {
             string password = "MyLittleSecret";
             var saltKey = "salt1";
-            var hashedPassword = _encryptionService.CreatePasswordHash(password, saltKey);
-            //hashedPassword.ShouldBeNotBeTheSameAs(password);
+            var hashedPassword = _encryptionService.CreatePasswordHash(password, saltKey, "SHA1");
             hashedPassword.ShouldEqual("A07A9638CCE93E48E3F26B37EF7BDF979B8124D6");
         }
 
+        [Test]
+        public void Can_hash_sha512() 
+        {
+            string password = "MyLittleSecret";
+            var saltKey = "salt1";
+            var hashedPassword = _encryptionService.CreatePasswordHash(password, saltKey, "SHA512");
+            hashedPassword.ShouldEqual("4506D65FDB6F3A8CF97278AB7C5C62DEC35EADD474BE1E6243776691D56E1B27F71C1D9085B26BD7513BED89822204D6B8FCBD6E665D46558C48F56D21B2A293");
+        }
+
         [Test]
         public void Can_encrypt_and_decrypt() 
         {