FileDocCategorySizeDatePackage
SSHA.javaAPI DocGlassfish v2 API9243Fri May 04 22:35:36 BST 2007com.sun.enterprise.security.util

SSHA

public class SSHA extends Object
Util class for salted SHA processing.

Salted SHA (aka SSHA) is computed as follows:
result = {SSHA}BASE64(SHA(password,salt),salt)

Methods are also provided to return partial results, such as SHA( password , salt) without Base64 encoding.

Fields Summary
private static final String
SSHA_TAG
private static com.sun.enterprise.util.i18n.StringManager
sm
private static MessageDigest
md
Constructors Summary
Methods Summary
public static byte[]compute(byte[] salt, byte[] password)
Compute a salted SHA hash.

param
salt Salt bytes.
param
password Password bytes.
return
Byte array of length 20 bytes containing hash result.
throws
IASSecurityExeption Thrown if there is an error.


    
                                        
          
         
    
        byte[] buff = new byte[password.length + salt.length];
        System.arraycopy(password, 0, buff, 0, password.length);
        System.arraycopy(salt, 0, buff, password.length, salt.length);

        byte[] hash = null;

        synchronized (SSHA.class) {
            
            if (md == null) {
                try {
                    md = MessageDigest.getInstance("SHA");
                } catch (Exception e) {
                    throw new IASSecurityException(e);
                }    
            }

            assert (md != null);
            md.reset();
            hash = md.digest(buff);
        }

        assert (hash.length==20); // SHA output is 160 bits

        return hash;
    
public static byte[]compute(int saltBytes, byte[] password)
Compute a salted SHA hash.

Salt bytes are obtained using SecureRandom.

param
saltBytes Number of bytes of random salt value to generate.
param
password Password bytes.
return
Byte array of length 20 bytes containing hash result.
throws
IASSecurityExeption Thrown if there is an error.

        SecureRandom rng=new SecureRandom();
        byte[] salt=new byte[saltBytes];
        rng.nextBytes(salt);

        return compute(salt, password);
    
public static java.lang.StringcomputeAndEncode(byte[] salt, byte[] password)
Compute a salted SHA hash and return the encoded result. This is a convenience method combining compute() and encode().

param
salt Salt bytes.
param
password Password bytes.
return
String Encoded string, as described in class documentation.
throws
IASSecurityExeption Thrown if there is an error.

        byte[] hash = compute(salt, password);
        return encode(salt, hash);
    
public static java.lang.StringcomputeAndEncode(int saltBytes, byte[] password)
Compute a salted SHA hash and return the encoded result. This is a convenience method combining compute() and encode().

param
saltBytes Number of bytes of random salt value to generate.
param
password Password bytes.
return
String Encoded string, as described in class documentation.
throws
IASSecurityExeption Thrown if there is an error.

        SecureRandom rng=new SecureRandom();
        byte[] salt=new byte[saltBytes];
        rng.nextBytes(salt);

        byte[] hash = compute(salt, password);
        return encode(salt, hash);
    
public static byte[]decode(java.lang.String encoded, byte[] hashResult)
Decodes an encoded SSHA string.

param
encoded Encoded SSHA value (e.g. output of computeAndEncode())
param
hashResult A byte array which must contain 20 elements. Upon succesful return from method, it will be filled by the hash value decoded from the given SSHA string. Existing values are not used and will be overwritten.
returns
Byte array containing the salt obtained from the encoded SSHA string.
throws
IASSecurityExeption Thrown if there is an error.

        assert (hashResult.length==20);
        if (!encoded.startsWith(SSHA_TAG)) {
            String msg = sm.getString("ssha.badformat", encoded);
            throw new IASSecurityException(msg);
        }

        String ssha = encoded.substring(SSHA_TAG.length());
        
        BASE64Decoder decoder = new BASE64Decoder();
        byte[] result = null;
      
        try {
            result = decoder.decodeBuffer(ssha);
        } catch (IOException e) {
            throw new IASSecurityException(e);
        }
        assert (result.length > 20);
        
        byte[] salt = new byte[result.length - 20];

        System.arraycopy(result, 0, hashResult, 0, 20);
        System.arraycopy(result, 20, salt, 0, result.length-20);

        return salt;
    
public static java.lang.Stringencode(byte[] salt, byte[] hash)
Perform encoding of salt and computed hash.

param
salt Salt bytes.
param
hash Result of prior compute() operation.
return
String Encoded string, as described in class documentation.

        assert (hash.length==20);
        byte[] res = new byte[20+salt.length];
        System.arraycopy(hash, 0, res, 0, 20);
        System.arraycopy(salt, 0, res, 20, salt.length);

        BASE64Encoder encoder = new BASE64Encoder();
        String encoded = encoder.encode(res);

        String out = SSHA_TAG + encoded;
        return out;
    
public static booleanverify(java.lang.String encoded, byte[] password)
Verifies a password.

The given password is verified against the provided encoded SSHA result string.

param
encoded Encoded SSHA value (e.g. output of computeAndEncode())
param
password Password bytes of the password to verify.
returns
True if given password matches encoded SSHA.
throws
IASSecurityExeption Thrown if there is an error.

        byte[] hash = new byte[20];
        byte[] salt = decode(encoded, hash);
        return verify(salt, hash, password);
    
public static booleanverify(byte[] salt, byte[] hash, byte[] password)
Verifies a password.

The given password is verified against the provided salt and hash buffers.

param
salt Salt bytes used in the hash result.
param
hash Hash result to compare against.
param
password Password bytes of the password to verify.
returns
True if given password matches encoded SSHA.
throws
IASSecurityExeption Thrown if there is an error.

        byte[] newHash = compute(salt, password);
        return Arrays.equals(hash, newHash);