CODEWITHSUNDEEP
javalinuxsha512
Nathan
Nathan

Reputation: 163

Java Sha-512 Message Digest with salting not matching linux shadow file hashed passwords

I'm trying to produce the same hashes found in the linux shadow file using the MessageDigest, given the password, salt value and hashing algorithm, although the results do not match with what I get from the function below.

I have this function for generating the hash value

public String getSha512Hash(String password, String saltValue) throws NoSuchAlgorithmException{
    String text = saltValue + password ;
    MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
    byte[] bytes = messageDigest.digest( text.getBytes() );
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < bytes.length; ++i) {
        sb.append(Integer.toHexString((bytes[i] & 0xFF) | 0x100).substring(1,3));
    }
    return sb.toString();
}

I'm referring to this website.

Upvotes: 1

Views: 1533

Answers (2)

Raffaele
Raffaele

Reputation: 20875

The fundamental problem is that the site you are referring to uses Perl's crypt() which seems a direct call to libc crypt(). In the manual of crypt is not specified how the SHA-512 hash is actually computed, but I searched GitHub and found this ~400 LOC source file sha512-crypt.c.

I read throught it and can't tell if it refers to some standard or if it's the only program using that algorithm. Since the SHA-512 thing also seems a proprietary extension to the POSIX standard, it's absolutely not unlikely.

You could ask the maintainer or the mailing list and report your findings back, otherwise if you absolutely need that functionality, you could write a native extension (don't know if there are Java libraries already available).

Upvotes: 0

e.dan
e.dan

Reputation: 7475

The passwords in /etc/shadow are hashed using the crypt(3) system call (man crypt).

You can use the Apache Commons implementation which should mimic the same behavior.

Upvotes: 1

Related Questions