|
| 1 | +/* |
| 2 | + * Licensed to the Apache Software Foundation (ASF) under one or more |
| 3 | + * contributor license agreements. See the NOTICE file distributed with |
| 4 | + * this work for additional information regarding copyright ownership. |
| 5 | + * The ASF licenses this file to You under the Apache License, Version 2.0 |
| 6 | + * (the "License"); you may not use this file except in compliance with |
| 7 | + * the License. You may obtain a copy of the License at |
| 8 | + * |
| 9 | + * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | + * |
| 11 | + * Unless required by applicable law or agreed to in writing, software |
| 12 | + * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | + * See the License for the specific language governing permissions and |
| 15 | + * limitations under the License. |
| 16 | + */ |
| 17 | +package org.apache.commons.codec.digest; |
| 18 | + |
| 19 | +import org.apache.commons.codec.Charsets; |
| 20 | + |
| 21 | +/** |
| 22 | + * GNU libc crypt(3) compatible hash method. |
| 23 | + * |
| 24 | + * See {@link #crypt(String, String)} for further details. |
| 25 | + * |
| 26 | + * @version $Id $ |
| 27 | + * @since 1.7 |
| 28 | + */ |
| 29 | +public class Crypt { |
| 30 | + |
| 31 | + /** |
| 32 | + * Encrypts a password in a crypt(3) compatible way. |
| 33 | + * |
| 34 | + * A random salt and the default algorithm (currently SHA-512) are used. See |
| 35 | + * {@link #crypt(String, String)} for details. |
| 36 | + * |
| 37 | + * @param keyBytes |
| 38 | + * The plaintext password. |
| 39 | + * @return The hash value. |
| 40 | + */ |
| 41 | + public static String crypt(byte[] keyBytes) throws Exception { |
| 42 | + return crypt(keyBytes, null); |
| 43 | + } |
| 44 | + |
| 45 | + /** |
| 46 | + * Encrypts a password in a crypt(3) compatible way. |
| 47 | + * |
| 48 | + * A random salt and the default algorithm (currently SHA-512) are used. See |
| 49 | + * {@link #crypt(String, String)} for details. |
| 50 | + * |
| 51 | + * @param keyBytes |
| 52 | + * The plaintext password. |
| 53 | + * @param salt |
| 54 | + * The salt value |
| 55 | + * @return The hash value. |
| 56 | + */ |
| 57 | + public static String crypt(byte[] keyBytes, String salt) throws Exception { |
| 58 | + if (salt == null) { |
| 59 | + return Sha2Crypt.sha512Crypt(keyBytes); |
| 60 | + } else if (salt.startsWith(Sha2Crypt.SHA512_PREFIX)) { |
| 61 | + return Sha2Crypt.sha512Crypt(keyBytes, salt); |
| 62 | + } else if (salt.startsWith(Sha2Crypt.SHA256_PREFIX)) { |
| 63 | + return Sha2Crypt.sha256Crypt(keyBytes, salt); |
| 64 | + } else if (salt.startsWith(Md5Crypt.MD5_PREFIX)) { |
| 65 | + return Md5Crypt.md5Crypt(keyBytes, salt); |
| 66 | + } else { |
| 67 | + return UnixCrypt.crypt(keyBytes, salt); |
| 68 | + } |
| 69 | + } |
| 70 | + |
| 71 | + /** |
| 72 | + * Calculates the digest using the strongest crypt(3) algorithm. |
| 73 | + * |
| 74 | + * A random salt and the default algorithm (currently SHA-512) are used. |
| 75 | + * |
| 76 | + * @see #crypt(String, String) |
| 77 | + * @param key |
| 78 | + * The plaintext password. |
| 79 | + * @return The hash value. |
| 80 | + */ |
| 81 | + public static String crypt(String key) throws Exception { |
| 82 | + return crypt(key, null); |
| 83 | + } |
| 84 | + |
| 85 | + /** |
| 86 | + * Encrypts a password in a crypt(3) compatible way. |
| 87 | + * |
| 88 | + * <p> |
| 89 | + * The exact algorithm depends on the format of the salt string: |
| 90 | + * <ul> |
| 91 | + * <li>SHA-512 salts start with $6$ and are up to 16 chars long. |
| 92 | + * <li>SHA-256 salts start with $5$ and are up to 16 chars long |
| 93 | + * <li>MD5 salts start with "$1$" and are up to 8 chars long |
| 94 | + * <li>DES, the traditional UnixCrypt algorithm is used else with only 2 chars |
| 95 | + * <li>Only the first 8 chars of the passwords are used in the DES algorithm! |
| 96 | + * </ul> |
| 97 | + * The magic strings "$apr1$" and "$2a$" are not recognised by this method as its output should be identical with |
| 98 | + * that of the libc implementation. |
| 99 | + * |
| 100 | + * <p> |
| 101 | + * The rest of the salt string is drawn from the set [a-zA-Z0-9./] and is cut at the maximum length of if a "$" sign |
| 102 | + * is encountered. It is therefore valid to enter a complete hash value as salt to e.g. verify a password with: |
| 103 | + * storedPwd.equals(crypt(enteredPwd, storedPwd)) |
| 104 | + * |
| 105 | + * <p> |
| 106 | + * The resulting string starts with the marker string ($6$), continues with the salt value and ends with a "$" sign |
| 107 | + * followed by the actual hash value. For DES the string only contains the salt and actual hash. It's toal length is |
| 108 | + * dependend on the algorithm used: |
| 109 | + * <ul> |
| 110 | + * <li>SHA-512: 106 chars |
| 111 | + * <li>SHA-256: 63 chars |
| 112 | + * <li>MD5: 34 chars |
| 113 | + * <li>DES: 13 chars |
| 114 | + * </ul> |
| 115 | + * |
| 116 | + * <p> |
| 117 | + * Example: |
| 118 | + * |
| 119 | + * <pre> |
| 120 | + * crypt("secret", "$1$xxxx") => "$1$xxxx$aMkevjfEIpa35Bh3G4bAc." |
| 121 | + * crypt("secret", "xx") => "xxWAum7tHdIUw" |
| 122 | + * </pre> |
| 123 | + * |
| 124 | + * This method comes in a variation that accepts a byte[] array to support input strings that are not encoded in |
| 125 | + * UTF-8 but e.g. in ISO-8859-1 where equal characters result in different byte values. |
| 126 | + * |
| 127 | + * @see "The man page of the libc crypt (3) function." |
| 128 | + * @param key |
| 129 | + * The plaintext password as entered by the used. |
| 130 | + * @param salt |
| 131 | + * The salt value |
| 132 | + * @return The hash value i.e. encrypted password including the salt string |
| 133 | + */ |
| 134 | + public static String crypt(String key, String salt) throws Exception { |
| 135 | + return crypt(key.getBytes(Charsets.UTF_8), salt); |
| 136 | + } |
| 137 | +} |
0 commit comments