com.inflight.util.Password.java Source code

Java tutorial

  1. HOME
  2. Java
  3. com.inflight.util.Password.java

Introduction

Here is the source code for com.inflight.util.Password.java

Source

/*
 * To change this license header, choose License Headers in Project Properties.
 * To change this template file, choose Tools | Templates
 * and open the template in the editor.
 */
package com.inflight.util;

import java.security.SecureRandom;

import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;

import org.apache.commons.codec.binary.Base64;

/**
 *
 * @author Ramakrishnan_sathyav
 */
public class Password {
    // The higher the number of iterations the more 
    // expensive computing the hash is for us and
    // also for an attacker.
    private static final int iterations = 20 * 1000;
    private static final int saltLen = 32;
    private static final int desiredKeyLen = 256;

    /** Computes a salted PBKDF2 hash of given plaintext password
    suitable for storing in a database. 
    Empty passwords are not supported. */
    public static String getSaltedHash(String password) throws Exception {
        byte[] salt = SecureRandom.getInstance("SHA1PRNG").generateSeed(saltLen);
        //        System.out.println(salt.toString());
        //        // store the salt with the password

        System.out.println(Base64.encodeBase64String(salt) + "$" + hash(password, salt));
        return Base64.encodeBase64String(salt) + "$" + hash(password, salt);
        //return "5Py5AAS9QlaRhtm0Ac3FNeyfuTU4oNpYKDCig4vtwS8=$1KQIRHF5zXULP/yoOr9lXHlOWyUjq/Q0A+5Caap9WA8=";
    }

    /** Checks whether given plaintext password corresponds 
    to a stored salted hash of the password. */
    public static boolean check(String password, String stored) throws Exception {
        String[] saltAndPass = stored.split("\\$");
        if (saltAndPass.length != 2) {
            throw new IllegalStateException("The stored password have the form 'salt$hash'");
        }
        String hashOfInput = hash(password, Base64.decodeBase64(saltAndPass[0]));
        return hashOfInput.equals(saltAndPass[1]);
    }

    // using PBKDF2 from Sun, an alternative is https://github.com/wg/scrypt
    // cf. http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html
    private static String hash(String password, byte[] salt) throws Exception {
        if (password == null || password.length() == 0)
            throw new IllegalArgumentException("Empty passwords are not supported.");
        SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
        SecretKey key = f.generateSecret(new PBEKeySpec(password.toCharArray(), salt, iterations, desiredKeyLen));
        return Base64.encodeBase64String(key.getEncoded());
    }

    public static void main(String[] args) throws Exception {
        String password = "1234567";

        String hash = getSaltedHash(password);
        System.out.println("hash " + hash);
        System.out.println(check("1234567", hash));
    }
}