Constructor Detail

• Crypt

  public Crypt()

Method Detail

• crypt

  public static String crypt(byte[] keyBytes)

  Encrypts a password in a crypt(3) compatible way.

  A random salt and the default algorithm (currently SHA-512) are used. See crypt(String, String) for details.

  Parameters:

  keyBytes - plaintext password

  Returns:

  hash value

  Throws:

  RuntimeException - when a NoSuchAlgorithmException is caught.

• crypt

  public static String crypt(byte[] keyBytes,
             String salt)

  Encrypts a password in a crypt(3) compatible way.

  If no salt is provided, a random salt and the default algorithm (currently SHA-512) will be used. See crypt(String, String) for details.

  Parameters:

  keyBytes - plaintext password

  salt - salt value

  Returns:

  hash value

  Throws:

  IllegalArgumentException - if the salt does not match the allowed pattern

  RuntimeException - when a NoSuchAlgorithmException is caught.

• crypt

  public static String crypt(String key)

  Calculates the digest using the strongest crypt(3) algorithm.

  A random salt and the default algorithm (currently SHA-512) are used.

  Parameters:

  key - plaintext password

  Returns:

  hash value

  Throws:

  RuntimeException - when a NoSuchAlgorithmException is caught.

  See Also:

  crypt(String, String)

• crypt

  public static String crypt(String key,
             String salt)

  Encrypts a password in a crypt(3) compatible way.

  The exact algorithm depends on the format of the salt string:

  • SHA-512 salts start with $6$ and are up to 16 chars long.
  • SHA-256 salts start with $5$ and are up to 16 chars long
  • MD5 salts start with $1$ and are up to 8 chars long
  • DES, the traditional UnixCrypt algorithm is used with only 2 chars
  • Only the first 8 chars of the passwords are used in the DES algorithm!

  The magic strings "$apr1$" and "$2a$" are not recognized by this method as its output should be identical with that of the libc implementation.

  The rest of the salt string is drawn from the set [a-zA-Z0-9./] and is cut at the maximum length of if a "$" sign is encountered. It is therefore valid to enter a complete hash value as salt to e.g. verify a password with:

   storedPwd.equals(crypt(enteredPwd, storedPwd))
   

  The resulting string starts with the marker string ($6$), continues with the salt value and ends with a "$" sign followed by the actual hash value. For DES the string only contains the salt and actual hash. It's total length is dependent on the algorithm used:

  • SHA-512: 106 chars
  • SHA-256: 63 chars
  • MD5: 34 chars
  • DES: 13 chars

  Example:

        crypt("secret", "$1$xxxx") => "$1$xxxx$aMkevjfEIpa35Bh3G4bAc."
        crypt("secret", "xx") => "xxWAum7tHdIUw"
   

  This method comes in a variation that accepts a byte[] array to support input strings that are not encoded in UTF-8 but e.g. in ISO-8859-1 where equal characters result in different byte values.

  Parameters:

  key - plaintext password as entered by the used

  salt - salt value

  Returns:

  hash value, i.e. encrypted password including the salt string

  Throws:

  IllegalArgumentException - if the salt does not match the allowed pattern

  RuntimeException - when a NoSuchAlgorithmException is caught. *

  See Also:

  "The man page of the libc crypt (3) function."