Hi Jonathan,
I hope all is well at FSU.
I haven't seen any complete DB salted hashing solutions out there. I'm
attaching a class
(org.apache.directory.studio.ldapbrowser.core.model.password) that I
borrowed from the Apache DS project. I basically stripped it down to be
a single class that produces the SSHA hashes. I believe the original
class has a password verify routine. Using that, this and a JDBC Auth
Handler, you (or a dev at FSU) should probably be able to get something
working for SSHA512.
Good luck!
On 8/17/14 10:14 PM, Liedy, Jonathan wrote:
>
> Hey all,
>
>
>
> Does anyone have an implementation of pulling a salt from a database
> and comparing the given encoded password with a database stored password?
>
>
>
> The latest release of Blackboard uses SHA512 encoded passwords with a
> dynamically generated salt. The salt, iterations and hash are all in
> the same table. I?m no java dev, but if someone has a similar
> implementation they could share, I could probably hack through it.
>
>
>
> Thanks,
>
>
>
> Jonathan Liedy
>
> Middleware Administrator
>
> The Florida State University
>
> 2035 East Paul Dirac Drive
>
> Sliger, Suite 113
>
> Tallahassee, FL 32310
>
> [email protected]
>
> Voice: (850) 270-7368
>
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
*John Gasper*
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.apache.directory.studio.ldapbrowser.core.model;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import org.apache.commons.codec.binary.Base64;
/**
* This is a stripped down and modified version of the
org.apache.directory.studio.ldapbrowser.core.model.Password
* that only encodes SSHA passwords.
*
* @author <a href="mailto:[email protected]";>Apache Directory
Project</a>
* @author John Gasper, Unicon
*/
public class Password
{
/** The hashed password */
private byte[] hashedPassword;
/** The salt */
private byte[] salt;
public Password( String passwordAsPlaintext, byte[] salt )
{
this.salt=salt;
this.hashedPassword = digest(passwordAsPlaintext, this.salt );
}
/**
* Creates a new instance of Password and calculates the hashed password.
*
* @param passwordAsPlaintext the plain text password
*
* @throws IllegalArgumentException if the given password is null
*/
public Password( String passwordAsPlaintext )
{
this.salt = new byte[8];
new SecureRandom().nextBytes( this.salt );
this.hashedPassword = digest(passwordAsPlaintext, this.salt );
}
/**
* @see java.lang.Object#toString()
*/
public String toString()
{
StringBuffer sb = new StringBuffer();
sb.append( "{ssha}" );
if ( salt != null )
{
byte[] hashedPasswordWithSaltBytes = new
byte[hashedPassword.length + salt.length];
merge( hashedPasswordWithSaltBytes, hashedPassword, salt );
sb.append( base64encode( hashedPasswordWithSaltBytes ) );
}
else
{
sb.append( base64encode( hashedPassword ) );
}
return sb.toString();
}
private static void split( byte[] all, byte[] left, byte[] right )
{
System.arraycopy( all, 0, left, 0, left.length );
System.arraycopy( all, left.length, right, 0, right.length );
}
private static void merge( byte[] all, byte[] left, byte[] right )
{
System.arraycopy( left, 0, all, 0, left.length );
System.arraycopy( right, 0, all, left.length, right.length );
}
/**
* Computes the hashed value of a password with the given hash method and
optional salt.
*
* @param password the password
* @param salt the optional salt (can be <code>null</code>)
* @return the hashed value of the password
*/
private static byte[] digest(String password, byte[] salt )
{
// Converting password to byte array
byte[] passwordBytes;
try
{
passwordBytes = password.getBytes( "UTF-8" ); //$NON-NLS-1$
}
catch ( UnsupportedEncodingException e )
{
passwordBytes = password.getBytes();
}
// Getting the message digest associated with the hash method
try
{
MessageDigest digest = MessageDigest.getInstance( "SHA" );
// Computing the hashed password (salted or not)
if ( salt != null )
{
digest.update( passwordBytes );
digest.update( salt );
return digest.digest();
}
else
{
return digest.digest( passwordBytes );
}
}
catch ( NoSuchAlgorithmException e1 )
{
return null;
}
}
/**
* Decodes the given UTF-8 byte array to an string.
*
* @param b the b the byte array to decode
*
* @return the decoded string
*/
public static String utf8decode( byte[] b )
{
try
{
return new String( b, "UTF-8" ); //$NON-NLS-1$
}
catch ( UnsupportedEncodingException e )
{
return new String( b );
}
}
/**
* Encodes the given byte array using BASE-64 encoding.
*
* @param b the b the byte array to encode
*
* @return the BASE-64 encoded string
*/
public static String base64encode( byte[] b )
{
return utf8decode( Base64.encodeBase64( b ) );
}
}
