mdeggies · May 18, 2017 19:42
diff --git a/shiro-hash-validation.java b/shiro-hash-validation.java
 // GIST shows how to validate a shiro1 password hash in Java. 
 // The original mcf_string was created via the Shiro Command Liner Hasher: https://shiro.apache.org/command-line-hasher.html
 // With these args: java -jar shiro-tools-hasher-1.3.2-cli.jar --algorithm SHA-512 --nogensalt --saltbytes <BASE64_ENCODED_SALT> --iterations 500000 --password Jenydoby6! 

 import org.apache.shiro.crypto.hash.Sha512Hash;
 import java.util.Base64;

 // Extract the password hash. Below is an example hash
 String mcf_string = "$shiro1$SHA-512$500000$ctYP52a2Sp2yIjzzlJAuPg==$ctZ4gQtNd7bKI0SWtktRAiP4Xzgk66sabg3pj0pQBmKZmgG7KAXZqAhBJJ3cCTqenfqi4LTgeZnh4waL6oMH+w==";

 // Decode the b64 salt to get the salt byte array
 String[] mcf = mcf_string.split("\\$");
 int iteration_count = Integer.parseInt(mcf[3]);
 String b64_salt = mcf[4];
 String b64_hash = mcf[5];

 // Base64 decode the 
 byte[] salt = Base64.getDecoder().decode(b64_salt.getBytes());

 // Have the user input a plaintext password. Below is an example password
 String plaintext_password = "Jenydoby6!";

 try {
  // Hash the plaintext password, using the salt and iteration count from the mcf_string
  String hash = new Sha512Hash(plaintext_password, salt, iteration_count).toBase64();;
  
  System.out.println("Original MCF hash: "+b64_hash);
  System.out.println("Created hash: "+hash);

  if (hash.equals(b64_hash)) {
      System.out.println("Success! Both hashes match!");
  } else {
      System.out.println("Passwords do not match.");
  }
 } catch (Exception e) {
      System.out.println(e);
 }
	// GIST shows how to validate a shiro1 password hash in Java.
	// The original mcf_string was created via the Shiro Command Liner Hasher: https://shiro.apache.org/command-line-hasher.html
	// With these args: java -jar shiro-tools-hasher-1.3.2-cli.jar --algorithm SHA-512 --nogensalt --saltbytes <BASE64_ENCODED_SALT> --iterations 500000 --password Jenydoby6!

	import org.apache.shiro.crypto.hash.Sha512Hash;
	import java.util.Base64;

	// Extract the password hash. Below is an example hash
	String mcf_string = "$shiro1$SHA-512$500000$ctYP52a2Sp2yIjzzlJAuPg==$ctZ4gQtNd7bKI0SWtktRAiP4Xzgk66sabg3pj0pQBmKZmgG7KAXZqAhBJJ3cCTqenfqi4LTgeZnh4waL6oMH+w==";

	// Decode the b64 salt to get the salt byte array
	String[] mcf = mcf_string.split("\\$");
	int iteration_count = Integer.parseInt(mcf[3]);
	String b64_salt = mcf[4];
	String b64_hash = mcf[5];

	// Base64 decode the
	byte[] salt = Base64.getDecoder().decode(b64_salt.getBytes());

	// Have the user input a plaintext password. Below is an example password
	String plaintext_password = "Jenydoby6!";

	try {
	// Hash the plaintext password, using the salt and iteration count from the mcf_string
	String hash = new Sha512Hash(plaintext_password, salt, iteration_count).toBase64();;

	System.out.println("Original MCF hash: "+b64_hash);
	System.out.println("Created hash: "+hash);

	if (hash.equals(b64_hash)) {
	System.out.println("Success! Both hashes match!");
	} else {
	System.out.println("Passwords do not match.");
	}
	} catch (Exception e) {
	System.out.println(e);
	}