Class CryptoUtil


  • public final class CryptoUtil
    extends java.lang.Object
    Hashes and verifies salted SHA-1 passwords, which are compliant with RFC 2307.
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.lang.String getSaltedPassword​(byte[] password, java.lang.String algorithm)
      Creates an RFC 2307-compliant salted, hashed password with the SHA1 or SHA-256 MessageDigest algorithm.
      static void main​(java.lang.String[] args)
      Convenience method for hashing and verifying salted SHA-1 or SHA-256 passwords from the command line.
      static boolean verifySaltedPassword​(byte[] password, java.lang.String entry)
      Compares a password to a given entry and returns true, if it matches.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Method Detail

      • main

        public static void main​(java.lang.String[] args)
                         throws java.lang.Exception

        Convenience method for hashing and verifying salted SHA-1 or SHA-256 passwords from the command line. This method requires commons-codec-1.3.jar (or a newer version) to be on the classpath. Command line arguments are as follows:

        • --hash password SSHA - hashes password and prints a password digest that looks like this:
          {SSHA}yfT8SRT/WoOuNuA6KbJeF10OznZmb28=
        • --verify password digest - verifies password by extracting the salt from digest (which is identical to what is printed by --hash) and re-computing the digest again using the password and salt. If the password supplied is the same as the one used to create the original digest, true will be printed; otherwise false

        For example, one way to use this utility is to change to JSPWiki's build directory and type the following command:

        java -cp JSPWiki.jar:../lib/commons-codec-1.3.jar org.apache.wiki.util.CryptoUtil --hash mynewpassword
        Parameters:
        args - arguments for this method as described above
        Throws:
        java.lang.Exception - Catches nothing; throws everything up.
      • getSaltedPassword

        public static java.lang.String getSaltedPassword​(byte[] password,
                                                         java.lang.String algorithm)
                                                  throws java.security.NoSuchAlgorithmException

        Creates an RFC 2307-compliant salted, hashed password with the SHA1 or SHA-256 MessageDigest algorithm. After the password is digested, the first 20 or 32 bytes of the digest will be the actual password hash; the remaining bytes will be a randomly generated salt of length DEFAULT_SALT_SIZE, for example:

        {SSHA}3cGWem65NCEkF5Ew5AEk45ak8LHUWAwPVXAyyw==

        In layman's terms, the formula is digest( secret + salt ) + salt. The resulting digest is Base64-encoded.

        Note that successive invocations of this method with the same password will result in different hashes! (This, of course, is exactly the point.)

        Parameters:
        password - the password to be digested
        Returns:
        the Base64-encoded password hash, prepended by {SSHA} or {SHA256}.
        Throws:
        java.security.NoSuchAlgorithmException - If your JVM does not supply the necessary algorithm. Should not happen.
      • verifySaltedPassword

        public static boolean verifySaltedPassword​(byte[] password,
                                                   java.lang.String entry)
                                            throws java.security.NoSuchAlgorithmException
        Compares a password to a given entry and returns true, if it matches.
        Parameters:
        password - The password in bytes.
        entry - The password entry, typically starting with {SSHA}.
        Returns:
        True, if the password matches.
        Throws:
        java.security.NoSuchAlgorithmException - If there is no SHA available.