#3 login data "hash" is now SHA-256 to reduce chances that it can be …

…used in password guessing
neowit · Jul 9, 2014 · 9b507e9 · 9b507e9
1 parent eba5205
commit 9b507e9
Showing 1 changed file with 10 additions and 13 deletions.
diff --git a/src/main/scala/com/neowit/apex/Session.scala b/src/main/scala/com/neowit/apex/Session.scala
@@ -19,7 +19,7 @@
 
 package com.neowit.apex
 
-import java.util.zip.CRC32
+import java.security.MessageDigest
 
 import com.neowit.utils.{FileUtils, Logging, Config}
 import com.sforce.soap.partner.PartnerConnection
@@ -65,33 +65,30 @@ class Session(config: Config) extends Logging {
         val emptySession = (None, None)
         if (!callingAnotherOrg) {
             val connectionData = getData("session")
-            connectionData.get("checksum") match {
-              case Some(checksum) =>
-                  if (checksum == getChecksum)
+            connectionData.get("hash") match {
+              case Some(hash) if hash == getHash =>
                   (connectionData.get("sessionId").map(_.toString), connectionData.get("serviceEndpoint").map(_.toString))
-                  else
-                      emptySession
-              case None =>
+              case _ =>
                   emptySession
             }
         } else {
             emptySession
         }
     }
-    //checksum is used to check if current session Id was generated against current set of login credentials
-    private def getChecksum: String = {
-        val crc32 = new CRC32()
+    //hash is used to check if current session Id was generated against current set of login credentials
+    private def getHash: String = {
+        val md5 = MessageDigest.getInstance("SHA-256")
+        md5.reset()
         val str = config.username + config.password + config.soapEndpoint
-        crc32.update(str.getBytes)
-        crc32.getValue.toString
+        md5.digest(str.getBytes("UTF-8")).map(0xFF & _).map { "%02x".format(_) }.foldLeft(""){_ + _}
     }
 
     def storeConnectionData(connectionConfig: com.sforce.ws.ConnectorConfig) {
         if (!callingAnotherOrg) {
             sessionProperties.setJsonData("session", Map(
                             "sessionId" -> connectionConfig.getSessionId,
                             "serviceEndpoint" -> connectionConfig.getServiceEndpoint,
-                            "checksum" -> getChecksum
+                            "hash" -> getHash
             ))
         } else {
             sessionProperties.remove("session")