org.apache.wiki.util

Class CryptoUtil

java.lang.Object

org.apache.wiki.util.CryptoUtil

public final class CryptoUtil
extends java.lang.Object

Hashes and verifies salted SHA-1 passwords, which are compliant with RFC 2307.

Method Summary

Modifier and Type	Method and Description
static java.lang.String	getSaltedPassword(byte[] password, java.lang.String algorithm) Creates an RFC 2307-compliant salted, hashed password with the SHA1 or SHA-256 MessageDigest algorithm.
static void	main(java.lang.String[] args) Convenience method for hashing and verifying salted SHA-1 or SHA-256 passwords from the command line.
static boolean	verifySaltedPassword(byte[] password, java.lang.String entry) Compares a password to a given entry and returns true, if it matches.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

main

public static void main(java.lang.String[] args)
                 throws java.lang.Exception

Convenience method for hashing and verifying salted SHA-1 or SHA-256 passwords from the command line. This method requires commons-codec-1.3.jar (or a newer version) to be on the classpath. Command line arguments are as follows:

• --hash password SSHA - hashes password and prints a password digest that looks like this:

  {SSHA}yfT8SRT/WoOuNuA6KbJeF10OznZmb28=

• --verify password digest - verifies password by extracting the salt from digest (which is identical to what is printed by --hash) and re-computing the digest again using the password and salt. If the password supplied is the same as the one used to create the original digest, true will be printed; otherwise false

For example, one way to use this utility is to change to JSPWiki's build directory and type the following command:

java -cp JSPWiki.jar:../lib/commons-codec-1.3.jar org.apache.wiki.util.CryptoUtil --hash mynewpassword

Parameters:

args - arguments for this method as described above

Throws:

java.lang.Exception - Catches nothing; throws everything up.

getSaltedPassword

public static java.lang.String getSaltedPassword(byte[] password,
                                                 java.lang.String algorithm)
                                          throws java.security.NoSuchAlgorithmException

Creates an RFC 2307-compliant salted, hashed password with the SHA1 or SHA-256 MessageDigest algorithm. After the password is digested, the first 20 or 32 bytes of the digest will be the actual password hash; the remaining bytes will be a randomly generated salt of length DEFAULT_SALT_SIZE, for example:

{SSHA}3cGWem65NCEkF5Ew5AEk45ak8LHUWAwPVXAyyw==

In layman's terms, the formula is digest( secret + salt ) + salt. The resulting digest is Base64-encoded.

Note that successive invocations of this method with the same password will result in different hashes! (This, of course, is exactly the point.)

Parameters:

password - the password to be digested

Returns:

the Base64-encoded password hash, prepended by {SSHA} or {SHA256}.

Throws:

java.security.NoSuchAlgorithmException - If your JVM does not supply the necessary algorithm. Should not happen.

verifySaltedPassword

public static boolean verifySaltedPassword(byte[] password,
                                           java.lang.String entry)
                                    throws java.security.NoSuchAlgorithmException

Compares a password to a given entry and returns true, if it matches.

Parameters:

password - The password in bytes.

entry - The password entry, typically starting with {SSHA}.

Returns:

True, if the password matches.

Throws:

java.security.NoSuchAlgorithmException - If there is no SHA available.