Class Sha2Crypt


  • public class Sha2Crypt
    extends java.lang.Object
    SHA2-based Unix crypt implementation.

    Based on the C implementation released into the Public Domain by Ulrich Drepper <drepper@redhat.com> http://www.akkadia.org/drepper/SHA-crypt.txt

    Conversion to Kotlin and from there to Java in 2012 by Christian Hammers <ch@lathspell.de> and likewise put into the Public Domain.

    This class is immutable and thread-safe.

    Since:
    1.7
    • Field Summary

      Fields 
      Modifier and Type Field Description
      private static int ROUNDS_DEFAULT
      Default number of rounds if not explicitly specified.
      private static int ROUNDS_MAX
      Maximum number of rounds.
      private static int ROUNDS_MIN
      Minimum number of rounds.
      private static java.lang.String ROUNDS_PREFIX
      Prefix for optional rounds specification.
      private static java.util.regex.Pattern SALT_PATTERN
      The pattern to match valid salt values.
      private static int SHA256_BLOCKSIZE
      The number of bytes the final hash value will have (SHA-256 variant).
      (package private) static java.lang.String SHA256_PREFIX
      The prefixes that can be used to identify this crypt() variant (SHA-256).
      private static int SHA512_BLOCKSIZE
      The number of bytes the final hash value will have (SHA-512 variant).
      (package private) static java.lang.String SHA512_PREFIX
      The prefixes that can be used to identify this crypt() variant (SHA-512).
    • Constructor Summary

      Constructors 
      Constructor Description
      Sha2Crypt()  
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.lang.String sha256Crypt​(byte[] keyBytes)
      Generates a libc crypt() compatible "$5$" hash value with random salt.
      static java.lang.String sha256Crypt​(byte[] keyBytes, java.lang.String salt)
      Generates a libc6 crypt() compatible "$5$" hash value.
      static java.lang.String sha256Crypt​(byte[] keyBytes, java.lang.String salt, java.util.Random random)
      Generates a libc6 crypt() compatible "$5$" hash value.
      private static java.lang.String sha2Crypt​(byte[] keyBytes, java.lang.String salt, java.lang.String saltPrefix, int blocksize, java.lang.String algorithm)
      Generates a libc6 crypt() compatible "$5$" or "$6$" SHA2 based hash value.
      static java.lang.String sha512Crypt​(byte[] keyBytes)
      Generates a libc crypt() compatible "$6$" hash value with random salt.
      static java.lang.String sha512Crypt​(byte[] keyBytes, java.lang.String salt)
      Generates a libc6 crypt() compatible "$6$" hash value.
      static java.lang.String sha512Crypt​(byte[] keyBytes, java.lang.String salt, java.util.Random random)
      Generates a libc6 crypt() compatible "$6$" hash value.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • ROUNDS_DEFAULT

        private static final int ROUNDS_DEFAULT
        Default number of rounds if not explicitly specified.
        See Also:
        Constant Field Values
      • ROUNDS_MAX

        private static final int ROUNDS_MAX
        Maximum number of rounds.
        See Also:
        Constant Field Values
      • ROUNDS_MIN

        private static final int ROUNDS_MIN
        Minimum number of rounds.
        See Also:
        Constant Field Values
      • ROUNDS_PREFIX

        private static final java.lang.String ROUNDS_PREFIX
        Prefix for optional rounds specification.
        See Also:
        Constant Field Values
      • SHA256_BLOCKSIZE

        private static final int SHA256_BLOCKSIZE
        The number of bytes the final hash value will have (SHA-256 variant).
        See Also:
        Constant Field Values
      • SHA256_PREFIX

        static final java.lang.String SHA256_PREFIX
        The prefixes that can be used to identify this crypt() variant (SHA-256).
        See Also:
        Constant Field Values
      • SHA512_BLOCKSIZE

        private static final int SHA512_BLOCKSIZE
        The number of bytes the final hash value will have (SHA-512 variant).
        See Also:
        Constant Field Values
      • SHA512_PREFIX

        static final java.lang.String SHA512_PREFIX
        The prefixes that can be used to identify this crypt() variant (SHA-512).
        See Also:
        Constant Field Values
      • SALT_PATTERN

        private static final java.util.regex.Pattern SALT_PATTERN
        The pattern to match valid salt values.
    • Constructor Detail

      • Sha2Crypt

        public Sha2Crypt()
    • Method Detail

      • sha256Crypt

        public static java.lang.String sha256Crypt​(byte[] keyBytes)
        Generates a libc crypt() compatible "$5$" hash value with random salt.

        See Crypt.crypt(String, String) for details.

        A salt is generated for you using ThreadLocalRandom; for more secure salts consider using SecureRandom to generate your own salts and calling sha256Crypt(byte[], String).

        Parameters:
        keyBytes - plaintext to hash
        Returns:
        complete hash value
        Throws:
        java.lang.IllegalArgumentException - when a NoSuchAlgorithmException is caught.
      • sha256Crypt

        public static java.lang.String sha256Crypt​(byte[] keyBytes,
                                                   java.lang.String salt)
        Generates a libc6 crypt() compatible "$5$" hash value.

        See Crypt.crypt(String, String) for details.

        Parameters:
        keyBytes - plaintext to hash
        salt - real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for you using SecureRandom. If one does not want to use SecureRandom, you can pass your own Random in sha256Crypt(byte[], String, Random).
        Returns:
        complete hash value including salt
        Throws:
        java.lang.IllegalArgumentException - if the salt does not match the allowed pattern
        java.lang.IllegalArgumentException - when a NoSuchAlgorithmException is caught.
      • sha256Crypt

        public static java.lang.String sha256Crypt​(byte[] keyBytes,
                                                   java.lang.String salt,
                                                   java.util.Random random)
        Generates a libc6 crypt() compatible "$5$" hash value.

        See Crypt.crypt(String, String) for details.

        Parameters:
        keyBytes - plaintext to hash
        salt - real salt value without prefix or "rounds=".
        random - the instance of Random to use for generating the salt. Consider using SecureRandom or ThreadLocalRandom.
        Returns:
        complete hash value including salt
        Throws:
        java.lang.IllegalArgumentException - if the salt does not match the allowed pattern
        java.lang.IllegalArgumentException - when a NoSuchAlgorithmException is caught.
        Since:
        1.12
      • sha2Crypt

        private static java.lang.String sha2Crypt​(byte[] keyBytes,
                                                  java.lang.String salt,
                                                  java.lang.String saltPrefix,
                                                  int blocksize,
                                                  java.lang.String algorithm)
        Generates a libc6 crypt() compatible "$5$" or "$6$" SHA2 based hash value.

        This is a nearly line by line conversion of the original C function. The numbered comments are from the algorithm description, the short C-style ones from the original C code and the ones with "Remark" from me.

        See Crypt.crypt(String, String) for details.

        Parameters:
        keyBytes - plaintext to hash
        salt - real salt value without prefix or "rounds="; may not be null
        saltPrefix - either $5$ or $6$
        blocksize - a value that differs between $5$ and $6$
        algorithm - MessageDigest algorithm identifier string
        Returns:
        complete hash value including prefix and salt
        Throws:
        java.lang.IllegalArgumentException - if the given salt is null or does not match the allowed pattern
        java.lang.IllegalArgumentException - when a NoSuchAlgorithmException is caught
        See Also:
        MessageDigestAlgorithms
      • sha512Crypt

        public static java.lang.String sha512Crypt​(byte[] keyBytes)
        Generates a libc crypt() compatible "$6$" hash value with random salt.

        See Crypt.crypt(String, String) for details.

        A salt is generated for you using ThreadLocalRandom; for more secure salts consider using SecureRandom to generate your own salts and calling sha512Crypt(byte[], String).

        Parameters:
        keyBytes - plaintext to hash
        Returns:
        complete hash value
        Throws:
        java.lang.IllegalArgumentException - when a NoSuchAlgorithmException is caught.
      • sha512Crypt

        public static java.lang.String sha512Crypt​(byte[] keyBytes,
                                                   java.lang.String salt)
        Generates a libc6 crypt() compatible "$6$" hash value.

        See Crypt.crypt(String, String) for details.

        Parameters:
        keyBytes - plaintext to hash
        salt - real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for you using SecureRandom; if you want to use a Random object other than SecureRandom then we suggest you provide it using sha512Crypt(byte[], String, Random).
        Returns:
        complete hash value including salt
        Throws:
        java.lang.IllegalArgumentException - if the salt does not match the allowed pattern
        java.lang.IllegalArgumentException - when a NoSuchAlgorithmException is caught.
      • sha512Crypt

        public static java.lang.String sha512Crypt​(byte[] keyBytes,
                                                   java.lang.String salt,
                                                   java.util.Random random)
        Generates a libc6 crypt() compatible "$6$" hash value.

        See Crypt.crypt(String, String) for details.

        Parameters:
        keyBytes - plaintext to hash
        salt - real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for you using ThreadLocalRandom; for more secure salts consider using SecureRandom to generate your own salts.
        random - the instance of Random to use for generating the salt. Consider using SecureRandom or ThreadLocalRandom.
        Returns:
        complete hash value including salt
        Throws:
        java.lang.IllegalArgumentException - if the salt does not match the allowed pattern
        java.lang.IllegalArgumentException - when a NoSuchAlgorithmException is caught.
        Since:
        1.12