org.apache.wiki.util

Class CryptoUtil

java.lang.Object

org.apache.wiki.util.CryptoUtil

public final class CryptoUtil
extends Object

Hashes and verifies salted SHA-1 passwords, which are compliant with RFC 2307.

Method Summary

Modifier and Type	Method and Description
protected static byte[]	extractPasswordHash(byte[] digest) Helper method that extracts the hashed password fragment from a supplied salted SHA digest by taking all of the characters before position 20.
protected static byte[]	extractSalt(byte[] digest) Helper method that extracts the salt from supplied salted digest by taking all of the characters at position 20 and higher.
static String	getSaltedPassword(byte[] password) Creates an RFC 2307-compliant salted, hashed password with the SHA1 MessageDigest algorithm.
protected static String	getSaltedPassword(byte[] password, byte[] salt) Helper method that creates an RFC 2307-compliant salted, hashed password with the SHA1 MessageDigest algorithm.
static void	main(String[] args) Convenience method for hashing and verifying salted SHA-1 passwords from the command line.
static boolean	verifySaltedPassword(byte[] password, String entry) Compares a password to a given entry and returns true, if it matches.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

main

public static void main(String[] args)
                 throws Exception

Convenience method for hashing and verifying salted SHA-1 passwords from the command line. This method requires commons-codec-1.3.jar (or a newer version) to be on the classpath. Command line arguments are as follows:

• --hash password - hashes password and prints a password digest that looks like this:

  {SSHA}yfT8SRT/WoOuNuA6KbJeF10OznZmb28=

• --verify password digest - verifies password by extracting the salt from digest (which is identical to what is printed by --hash) and re-computing the digest again using the password and salt. If the password supplied is the same as the one used to create the original digest, true will be printed; otherwise false

For example, one way to use this utility is to change to JSPWiki's build directory and type the following command:

java -cp JSPWiki.jar:../lib/commons-codec-1.3.jar org.apache.wiki.util.CryptoUtil --hash mynewpassword

Parameters:

args - arguments for this method as described above

Throws:

Exception - Catches nothing; throws everything up.

getSaltedPassword

public static String getSaltedPassword(byte[] password)
                                throws NoSuchAlgorithmException

Creates an RFC 2307-compliant salted, hashed password with the SHA1 MessageDigest algorithm. After the password is digested, the first 20 bytes of the digest will be the actual password hash; the remaining bytes will be a randomly generated salt of length DEFAULT_SALT_SIZE, for example:

{SSHA}3cGWem65NCEkF5Ew5AEk45ak8LHUWAwPVXAyyw==

In layman's terms, the formula is digest( secret + salt ) + salt. The resulting digest is Base64-encoded.

Note that successive invocations of this method with the same password will result in different hashes! (This, of course, is exactly the point.)

Parameters:

password - the password to be digested

Returns:

the Base64-encoded password hash, prepended by {SSHA}.

Throws:

NoSuchAlgorithmException - If your JVM is completely b0rked and does not have SHA.

getSaltedPassword

protected static String getSaltedPassword(byte[] password,
                                          byte[] salt)
                                   throws NoSuchAlgorithmException

Helper method that creates an RFC 2307-compliant salted, hashed password with the SHA1 MessageDigest algorithm. After the password is digested, the first 20 bytes of the digest will be the actual password hash; the remaining bytes will be the salt. Thus, supplying a password testing123 and a random salt foo produces the hash:

{SSHA}yfT8SRT/WoOuNuA6KbJeF10OznZmb28=

In layman's terms, the formula is digest( secret + salt ) + salt. The resulting digest is Base64-encoded.

Parameters:

password - the password to be digested

salt - the random salt

Returns:

the Base64-encoded password hash, prepended by {SSHA}.

Throws:

NoSuchAlgorithmException - If your JVM is totally b0rked and does not have SHA1.

verifySaltedPassword

public static boolean verifySaltedPassword(byte[] password,
                                           String entry)
                                    throws NoSuchAlgorithmException

Compares a password to a given entry and returns true, if it matches.

Parameters:

password - The password in bytes.

entry - The password entry, typically starting with {SSHA}.

Returns:

True, if the password matches.

Throws:

NoSuchAlgorithmException - If there is no SHA available.

extractPasswordHash

protected static byte[] extractPasswordHash(byte[] digest)
                                     throws IllegalArgumentException

Helper method that extracts the hashed password fragment from a supplied salted SHA digest by taking all of the characters before position 20.

Parameters:

digest - the salted digest, which is assumed to have been previously decoded from Base64.

Returns:

the password hash

Throws:

IllegalArgumentException - if the length of the supplied digest is less than or equal to 20 bytes

extractSalt

protected static byte[] extractSalt(byte[] digest)
                             throws IllegalArgumentException

Helper method that extracts the salt from supplied salted digest by taking all of the characters at position 20 and higher.

Parameters:

digest - the salted digest, which is assumed to have been previously decoded from Base64.

Returns:

the salt

Throws:

IllegalArgumentException - if the length of the supplied digest is less than or equal to 20 bytes