PBKDF2-HMAC-SHA256 and the PBKDF-HMAC-SHA512 password encoding schemes

[maxfieb]

Summary

It would be good to have PBKDF2-HMAC-SHA256 and the PBKDF-HMAC-SHA512 password encoding schemes.

Solution You'd Like to See

Add these types will allow stronger password encryption & security. This seems to have been done a year ago on openidentity opendj open source project, so if the licences are compatible, it might just mean importing it here.

Workarounds/Alternatives

With openidentity opendj this works, provided you manually add the schema to schema/02-config.ldif, then these password types are available and function. The OID's need to be allocated uniquely as part of the build. Likely the DS schema && IODs got blatted / lost between major releases last year, the version just after openidentity/opendj which is described in PR #228 over there. ( the below dummy 9999* OIDs need to be made real )

This is the server schema missing on the openidentity opendj binaries :

$ diff config/schema/02-config.ldif config/schema/02-config.ldif.dist 5903,5914d5902 < objectClasses: ( 1.3.6.1.4.1.36733.2.1.2.99998 < NAME 'ds-cfg-pbkdf2-hmac-sha256-password-storage-scheme' < SUP ds-cfg-pbkdf2-password-storage-scheme < STRUCTURAL < MAY ds-cfg-pbkdf2-iterations < X-ORIGIN 'OpenDJ Directory Server' ) < objectClasses: ( 1.3.6.1.4.1.36733.2.1.2.99999 < NAME 'ds-cfg-pbkdf2-hmac-sha512-password-storage-scheme' < SUP ds-cfg-pbkdf2-password-storage-scheme < STRUCTURAL < MAY ds-cfg-pbkdf2-iterations < X-ORIGIN 'OpenDJ Directory Server' )

Additional Notes

This PR describes this change from the open identity project : https://github.com/OpenIdentityPlatform/OpenDJ/pull/228

[pavelhoral]

Gave a quick look at the linked PR and it looks good. I need to give it a more thorough check later. I am just not sure about license headers that are there obviously copied from the original PBKDF2 implementation without any additional author attribution (might force us to reimplement that ourselves).