I am currently trying to get Java to generate the same hash for a string as PHP's hash algorithm does.
I have come close enough:
hash('sha512', 'password');
outputs:
b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86
Java code:
public static void main(String[] args) {
hash("password");
}
private static String hash(String salted) {
byte[] digest;
try {
MessageDigest mda = MessageDigest.getInstance("SHA-512");
digest = mda.digest(salted.getBytes("UTF-8"));
} catch (Exception e) {
digest = new byte[]{};
}
String str = "";
for (byte aDigest : digest) {
str += String.format("%02x", 0xFF & aDigest);
}
return str;
}
This outputs the same.
My problem is when I use the third argument within PHP's hash function. On PHP's site it's described as following:
raw_output
When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits.
I am not quite sure how to implement this extra parameter. I think mainly my question would be, how do I convert a String object into a binary String object? Currently, running it with PHP generates the following: http://sandbox.onlinephpfunctions.com/code/a1bd9b399b3ac0c4db611fe748998f18738d19e3
This should reproduce the outcome from your link:
String strBinary = null;
try {
strBinary = new String(digest, "UTF-8");
} catch (UnsupportedEncodingException e) {
}
and you'll need these imports at the top of your file:
import java.nio.charset.Charset;
import java.io.UnsupportedEncodingException;
I hope I understood your issue correctly.
Related
I'm working on a windows app, and need to use some auth function from some previous java code. I have access to the Java source but still can't seem to get it right. Probably because of my limited knowledge of cryptography.
The Java functions I need to convert are :
public String getHMACHash(String SharedSecretKey, String TextToHash) {
return base64EncodedStringFromBytes(hmacMD5(SharedSecretKey, TextToHash));
}
private String base64EncodedStringFromBytes(byte[] bArr) {
return Base64.encodeToString(bArr, 2);
}
public byte[] hmacMD5(String SharedSecretKey, String TextToHash) {
byte[] bArr = null;
try {
Mac instance = Mac.getInstance("HmacMD5");
instance.init(new SecretKeySpec(SharedSecretKey.getBytes(), "HmacMD5"));
bArr = instance.doFinal(TextToHash.getBytes());
} catch (NoSuchAlgorithmException e) {
Log.m8401e(TAG, e.getLocalizedMessage());
} catch (InvalidKeyException e2) {
Log.m8401e(TAG, e2.getLocalizedMessage());
}
return bArr;
}
so when inputting the values :
SharedSecretKey = "497n9x98jK06gf7S3T7wJ2k455Qm192Q"
TextToHash = "1502322764327/customerservice.svc/buybackcartPOST8e802a045c1e60e"
the Hash generated is :
pOZNkg077OdvhyeMMPIX2w==
Try as I might I can't get near to the hash key using the same values in VB6. I have tried a few different methods to create the hash :
Private Function hash_HMACMD5(ByVal sTextToHash As String, ByVal
sSharedSecretKey As String)
Dim asc As Object, enc As Object
Dim TextToHash() As Byte
Dim SharedSecretKey() As Byte
Set asc = CreateObject("System.Text.UTF8Encoding")
Set enc = CreateObject("System.Security.Cryptography.HMACMD5")
TextToHash = asc.Getbytes_4(sTextToHash)
SharedSecretKey = asc.Getbytes_4(sSharedSecretKey)
enc.Key = SharedSecretKey
Dim bytes() As Byte
bytes = enc.ComputeHash_2((TextToHash))
hash_HMACMD5 = Base64Encode(bytes)
Set asc = Nothing
Set enc = Nothing
End Function
So, I was hoping someone out there might be able to point me in the right direction ?
Thanks In advance for any help.
Potman100
I've traced all the code through, and I can't see any thing that would indicate something different is going on. As mentioned below, there is a import line
import android.util.Base64;
The call to create the hash is :
String hMACHash = new MASecurity().getHMACHash(str, str2);
MASecurity Class is :
import android.util.Base64;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
public class MASecurity {
private static final String TAG = "MASecurity";
public String getHMACHash(String str, String str2) {
return base64EncodedStringFromBytes(hmacMD5(str, str2));
}
private String base64EncodedStringFromBytes(byte[] bArr) {
return Base64.encodeToString(bArr, 2);
}
public byte[] hmacMD5(String str, String str2) {
byte[] bArr = null;
try {
Mac instance = Mac.getInstance("HmacMD5");
instance.init(new SecretKeySpec(str.getBytes(), "HmacMD5"));
bArr = instance.doFinal(str2.getBytes());
} catch (NoSuchAlgorithmException e) {
MALog.m8401e(TAG, e.getLocalizedMessage());
} catch (InvalidKeyException e2) {
MALog.m8401e(TAG, e2.getLocalizedMessage());
}
return bArr;
}
The input values are correct, as they are logged whilst the app is running.
Hope this helps ??
Thanks Alex K., seems the Java code was adding more data to one of the params which the debugging I did missed, one I added the extra data it creates a valid hash.
I am trying to build a simple password authenticator where passwords that have been hashed using SHA-256 .
I found a couple calculators online (http://onlinemd5.com/) that hashed "password" to "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
I tried a couple other passwords with expected results.
So I tried to implement a fairly straight forward set of code (or so I thought)
String pswd="password";
String storedPswd="5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8";
//first as a byte[]
Arrays.equals(hashWord(pswd),storedPswd.getBytes("UTF-8") );
...
private byte[] hashWord(String word) {
try {
return MessageDigest.getInstance("SHA-256").digest(word.getBytes("UTF-8"));
} catch (Exception e) {
throw new BadCredentialsException("Could not hash supplied password", e);
}
}
I also tried without success.
return storedPswd.toUpperCase().equals(DigestUtils.sha256Hex(password));
The Apache codec library (v1.10) and Java 1.6 gives me :
113459EB7BB31BDDEE85ADE5230D6AD5D8B2FB52879E00A84FF6AE1067A210D3
instead of
5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8
What am I missing ??
The Solution (wrong inputs):
updated Test Code:
String passwordSHA="5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8";
String complexSHA="8849fb9b221ddec0117e2796d16929179accf3a6012f738e1ed6c11af9cc2081";
#Test
public void testDigest() throws InterruptedException{
System.out.println("Starting Digest test");
String complexPassword = "a7$h1UC8";
try {
Assert.assertTrue(authenticateUser(complexPassword, complexSHA));
Assert.assertTrue(authenticateUser("password", passwordSHA));
Assert.assertTrue( hashWord(complexPassword).equals(complexSHA) );
} catch (Exception e) {
Assert.fail();
}
}
public boolean authenticateUser(String word, String stored) throws Exception {
String apache2Pswd = hashApache(word);
System.out.println(apache2Pswd);
return stored.equals(apache2Pswd);
}
private String hashApache(String pswd){
return DigestUtils.sha256Hex(pswd);
}
public static String hashWord(String word) throws Exception{
byte[] digest = MessageDigest.getInstance("SHA-256").digest(word.getBytes("UTF-8"));
StringBuilder sb = new StringBuilder();
for (byte b : digest) {
sb.append(String.format("%02x", b));
}
System.out.println(sb.toString());
return sb.toString();
}
With Results:
Starting Digest test
8849fb9b221ddec0117e2796d16929179accf3a6012f738e1ed6c11af9cc2081
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
8849fb9b221ddec0117e2796d16929179accf3a6012f738e1ed6c11af9cc2081
The hashWord method that you posted is not correct, it does not compile (is this your actual code?); it's not returning a value.
With this:
byte[] digest = MessageDigest.getInstance("SHA-256").digest("password".getBytes("UTF-8"));
for (byte b : digest) {
System.out.printf("%02x", b);
}
I do get the expected output:
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
The output 113459eb7bb31bddee85ade5230d6ad5d8b2fb52879e00a84ff6ae1067a210d3 is what you get when you calculate the SHA-256 hash over the string 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 instead of the original string password.
You are calculating the hash over the hex string containing the hash, instead of the hash of the original password.
An online resource that does not carefully document how it converts user input to binary before hashing is worthless for the purpose of comparing hashes.
It ultimately doesn't matter if your encoding method produces hashes compatible with anything else. What matters is that you get the same hash for the same input consistently (i.e. the hash procedure must be deterministic).
So for a project I am working on, I need to be reading binary data from .FRX files into my Java project. Java's standard byte reader however, keeps returning the wrong bytes for me, which I believe could be a result of Java's modified UTF8-encoding. If I use C#'s binary reading methods, I get the output that I require. An obvious (but proving to be difficult) solution is using C# and a DLL to wrap into the Java project, and I was just wondering if anyone has any simpler alternatives in Java, perhaps an alternative standard byte-reader which can be implemented in Java relatively easily.
Any help is greatly appreciated!
Question update
Here is my C# program, which returns the output I am looking for.
using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
public class GetFromFRX
{
public string getFromFRX(string filename, int pos)
{
StringBuilder buffer = new StringBuilder();
using (BinaryReader b = new BinaryReader(File.Open("frmResidency.frx", FileMode.Open)))
{
try
{
b.BaseStream.Seek(pos, SeekOrigin.Begin);
int length = b.ReadInt32();
for (int i = 0; i < length; i++)
{
buffer.Append(b.ReadChar());
}
}
catch (Exception e)
{
return "Error obtaining resource\n" + e.Message;
}
}
return buffer.ToString();
}
}
And here is some slightly differently formatted Java code:
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.InputStream;
public class JavaReader {
public static void main(String[] args) throws Exception {
InputStream i = null;
BufferedInputStream b = null;
try{
// open file
i = new FileInputStream("frmResidency.frx");
// input stream => buffed input stream
b = new BufferedInputStream(i);
int numByte = b.available();
byte[] buf = new byte[numByte];
b.read(buf, 2, 3);
for (byte d : buf) {
System.out.println((char)d+":" + d);
}
}catch(Exception e){
e.printStackTrace();
}finally{
if(i!=null)
i.close();
if(b!=null)
b.close();
}
}
}
In your Java code:
You are using available() in a way which is specifically warned against in the Javadoc.
You aren't checking the result returned by the read() method.
You are reading into the buffer at offset 2 and then checking the entire buffer.
You are reading bytes where your C# code reads characters.
You aren't reading the length word.
You aren't using methods like DataInputStream.readInt() which correspond to your C# code.
I have written following function to compute Md5 checksum in Java.
class Utils {
public static String md5Hash(String input) {
String result = "";
try {
System.out.println("Input=" + input);
final MessageDigest md = MessageDigest.getInstance("MD5");
md.reset();
md.update(input.getBytes());
result = md.digest().toString();
} catch (Exception ee) {
System.err.println("Error computing MD5 Hash");
}
return result;
}
};
Calling Utils.md5Hash("abcde") multiple times gives different results. My understanding says md5 returns a deterministic and unique checksum for a string. Is that wrong? Else please let me know the bug in my implementation. Thanks
The toString() method of a byte array doesn't return a meaningful string. It returns the type of the array object, followed by the hashCode of the array.
Transform the byte array to a String using Hex or Base64 encoding if you want it printed. Apache commons-codec has methods to do that.
Also, make sure to specify en encoding which supports any kind of character to transform your string to a byte array. The method you're using uses the platform default encoding, which could fail if, for example, it's latin-1 and you're transforming non-latin-1 characters. UTF-8 is a good choice.
I have done using the following way :
public static String encryptedLoginPassword( String password )
{
String encryptedData="";
try{
MessageDigest algorithm = MessageDigest.getInstance("MD5");
byte[] defaultBytes = password.getBytes();
algorithm.reset();
algorithm.update(defaultBytes);
byte messageDigest[] = algorithm.digest();
StringBuffer hexString = new StringBuffer();
for (int i=0;i<messageDigest.length;i++) {
hexString.append(Integer.toHexString(0xFF & messageDigest[i]));
}
encryptedData=hexString.toString();
}catch(NoSuchAlgorithmException nsae){
}
return encryptedData;
}
int the code given by Dinup Kandel, I had to change this:
for (int i=0;i<messageDigest.length;i++) {
hexString.append(Integer.toHexString(0xFF & messageDigest[i]));
}
in to
if ((0xff & messageDigest[i]) < 0x10) {
hexString.append("0"
+ Integer.toHexString((0xFF & messageDigest[i])));
} else {
hexString.append(Integer.toHexString(0xFF & messageDigest[i]));
}
to get my unit tests working.
note: i used this to verify the correct answer:
echo -n MyTestString | md5sum
Given the following code:
String tmp = new String("\\u0068\\u0065\\u006c\\u006c\\u006f\\u000a");
String result = convertToEffectiveString(tmp); // result contain now "hello\n"
Does the JDK already provide some classes for doing this ?
Is there a libray that does this ? (preferably under maven)
I have tried with ByteArrayOutputStream with no success.
This works, but only with ASCII. If you use unicode characters outside of the ASCCI range, then you will have problems (as each character is being stuffed into a byte, instead of a full word that is allowed by UTF-8). You can do the typecast below because you know that the UTF-8 will not overflow one byte if you guaranteed that the input is basically ASCII (as you mention in your comments).
package sample;
import java.io.UnsupportedEncodingException;
public class UnicodeSample {
public static final int HEXADECIMAL = 16;
public static void main(String[] args) {
try {
String str = "\\u0068\\u0065\\u006c\\u006c\\u006f\\u000a";
String arr[] = str.replaceAll("\\\\u"," ").trim().split(" ");
byte[] utf8 = new byte[arr.length];
int index=0;
for (String ch : arr) {
utf8[index++] = (byte)Integer.parseInt(ch,HEXADECIMAL);
}
String newStr = new String(utf8, "UTF-8");
System.out.println(newStr);
}
catch (UnsupportedEncodingException e) {
// handle the UTF-8 conversion exception
}
}
}
Here is another solution that fixes the issue of only working with ASCII characters. This will work with any unicode characters in the UTF-8 range instead of ASCII only in the first 8-bits of the range. Thanks to deceze for the questions. You made me think more about the problem and solution.
package sample;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
public class UnicodeSample {
public static final int HEXADECIMAL = 16;
public static void main(String[] args) {
try {
String str = "\\u0068\\u0065\\u006c\\u006c\\u006f\\u000a\\u3fff\\uf34c";
ArrayList<Byte> arrList = new ArrayList<Byte>();
String codes[] = str.replaceAll("\\\\u"," ").trim().split(" ");
for (String c : codes) {
int code = Integer.parseInt(c,HEXADECIMAL);
byte[] bytes = intToByteArray(code);
for (byte b : bytes) {
if (b != 0) arrList.add(b);
}
}
byte[] utf8 = new byte[arrList.size()];
for (int i=0; i<arrList.size(); i++) utf8[i] = arrList.get(i);
str = new String(utf8, "UTF-8");
System.out.println(str);
}
catch (UnsupportedEncodingException e) {
// handle the exception when
}
}
// Takes a 4 byte integer and and extracts each byte
public static final byte[] intToByteArray(int value) {
return new byte[] {
(byte) (value >>> 24),
(byte) (value >>> 16),
(byte) (value >>> 8),
(byte) (value)
};
}
}
Firstly, are you just trying to parse a string literal, or is tmp going to be some user-entered data?
If this is going to be a string literal (i.e. hard-coded string), it can be encoded using Unicode escapes. In your case, this just means using single backslashes instead of double backslashes:
String result = "\u0068\u0065\u006c\u006c\u006f\u000a";
If, however, you need to use Java's string parsing rules to parse user input, a good starting point might be Apache Commons Lang's StringEscapeUtils.unescapeJava() method.
I'm sure there must be a better way, but using just the JDK:
public static String handleEscapes(final String s)
{
final java.util.Properties props = new java.util.Properties();
props.setProperty("foo", s);
final java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream();
try
{
props.store(baos, null);
final String tmp = baos.toString().replace("\\\\", "\\");
props.load(new java.io.StringReader(tmp));
}
catch(final java.io.IOException ioe) // shouldn't happen
{ throw new RuntimeException(ioe); }
return props.getProperty("foo");
}
uses java.util.Properties.load(java.io.Reader) to process the backslash-escapes (after first using java.util.Properties.store(java.io.OutputStream, java.lang.String) to backslash-escape anything that would cause problems in a properties-file, and then using replace("\\\\", "\\") to reverse the backslash-escaping of the original backslashes).
(Disclaimer: even though I tested all the cases I could think of, there are still probably some that I didn't think of.)