framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java - ofbiz - Git at Google

 /*******************************************************************************
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  *******************************************************************************/
 package org.apache.ofbiz.base.crypto;

 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.spec.InvalidKeySpecException;

 import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.PBEKeySpec;

 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.lang.RandomStringUtils;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.GeneralRuntimeException;
 import org.apache.ofbiz.base.util.StringUtil;
 import org.apache.ofbiz.base.util.UtilIO;
 import org.apache.ofbiz.base.util.UtilProperties;
 import org.apache.ofbiz.base.util.UtilValidate;

 /**
  * Utility class for doing SHA-1/MD5/PBKDF2 One-Way Hash Encryption
  *
  */
 public class HashCrypt {

     public static final String module = HashCrypt.class.getName();
     public static final String CRYPT_CHAR_SET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./";

     private static final String PBKDF2_SHA1 ="PBKDF2-SHA1";
     private static final String PBKDF2_SHA256 ="PBKDF2-SHA256";
     private static final String PBKDF2_SHA384 ="PBKDF2-SHA384";
     private static final String PBKDF2_SHA512 ="PBKDF2-SHA512";
     private static final int PBKDF2_ITERATIONS = UtilProperties.getPropertyAsInteger("security.properties", "password.encrypt.pbkdf2.iterations", 10000);

     public static MessageDigest getMessageDigest(String type) {
         try {
             return MessageDigest.getInstance(type);
         } catch (NoSuchAlgorithmException e) {
             throw new GeneralRuntimeException("Could not load digestor(" + type + ")", e);
         }
     }

     public static boolean comparePassword(String crypted, String defaultCrypt, String password) {
     	if (crypted.startsWith("{PBKDF2")) {
             return doComparePbkdf2(crypted, password);
     	} else if (crypted.startsWith("{")) {
             // FIXME: should have been getBytes("UTF-8") originally
             return doCompareTypePrefix(crypted, defaultCrypt, password.getBytes());
         } else if (crypted.startsWith("$")) {
             return doComparePosix(crypted, defaultCrypt, password.getBytes(UtilIO.getUtf8()));
         } else {
             // FIXME: should have been getBytes("UTF-8") originally
             return doCompareBare(crypted, defaultCrypt, password.getBytes());
         }
     }

     private static boolean doCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) {
         int typeEnd = crypted.indexOf("}");
         String hashType = crypted.substring(1, typeEnd);
         String hashed = crypted.substring(typeEnd + 1);
         MessageDigest messagedigest = getMessageDigest(hashType);
         messagedigest.update(bytes);
         byte[] digestBytes = messagedigest.digest();
         char[] digestChars = Hex.encodeHex(digestBytes);
         String checkCrypted = new String(digestChars);
         if (hashed.equals(checkCrypted)) {
             return true;
         }
         // This next block should be removed when all {prefix}oldFunnyHex are fixed.
         if (hashed.equals(oldFunnyHex(digestBytes))) {
             Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted);
             return true;
         }
         return false;
     }

     private static boolean doComparePosix(String crypted, String defaultCrypt, byte[] bytes) {
         int typeEnd = crypted.indexOf("$", 1);
         int saltEnd = crypted.indexOf("$", typeEnd + 1);
         String hashType = crypted.substring(1, typeEnd);
         String salt = crypted.substring(typeEnd + 1, saltEnd);
         String hashed = crypted.substring(saltEnd + 1);
         return hashed.equals(getCryptedBytes(hashType, salt, bytes));
     }

     private static boolean doCompareBare(String crypted, String defaultCrypt, byte[] bytes) {
         String hashType = defaultCrypt;
         String hashed = crypted;
         MessageDigest messagedigest = getMessageDigest(hashType);
         messagedigest.update(bytes);
         return hashed.equals(oldFunnyHex(messagedigest.digest()));
     }

     /*
      * @deprecated use cryptBytes(hashType, salt, password); eventually, use
      * cryptUTF8(hashType, salt, password) after all existing installs are
      * salt-based.  If the call-site of cryptPassword is just used to create a *new*
      * value, then you can switch to cryptUTF8 directly.
      */
     @Deprecated
     public static String cryptPassword(String hashType, String salt, String password) {
     	if (hashType.startsWith("PBKDF2")) {
             return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null;
         }
         // FIXME: should have been getBytes("UTF-8") originally
         return password != null ? cryptBytes(hashType, salt, password.getBytes()) : null;
     }

     public static String cryptUTF8(String hashType, String salt, String value) {
     	if (hashType.startsWith("PBKDF2")) {
             return value != null ? pbkdf2HashCrypt(hashType, salt, value) : null;
         }
         return value != null ? cryptBytes(hashType, salt, value.getBytes(UtilIO.getUtf8())) : null;
     }

     public static String cryptValue(String hashType, String salt, String value) {
     	if (hashType.startsWith("PBKDF2")) {
             return value != null ? pbkdf2HashCrypt(hashType, salt, value) : null;
         }
         return value != null ? cryptBytes(hashType, salt, value.getBytes()) : null;
     }

     public static String cryptBytes(String hashType, String salt, byte[] bytes) {
         if (hashType == null) {
             hashType = "SHA";
         }
         if (salt == null) {
             salt = RandomStringUtils.random(new SecureRandom().nextInt(15) + 1, CRYPT_CHAR_SET);
         }
         StringBuilder sb = new StringBuilder();
         sb.append("$").append(hashType).append("$").append(salt).append("$");
         sb.append(getCryptedBytes(hashType, salt, bytes));
         return sb.toString();
     }

     private static String getCryptedBytes(String hashType, String salt, byte[] bytes) {
         try {
             MessageDigest messagedigest = MessageDigest.getInstance(hashType);
             messagedigest.update(salt.getBytes(UtilIO.getUtf8()));
             messagedigest.update(bytes);
             return Base64.encodeBase64URLSafeString(messagedigest.digest()).replace('+', '.');
         } catch (NoSuchAlgorithmException e) {
             throw new GeneralRuntimeException("Error while comparing password", e);
         }
     }

     public static String pbkdf2HashCrypt(String hashType, String salt, String value){
         char[] chars = value.toCharArray();
         if (UtilValidate.isEmpty(salt)) {
             salt = getSalt();
         }
         try {
             PBEKeySpec spec = new PBEKeySpec(chars, salt.getBytes(UtilIO.getUtf8()), PBKDF2_ITERATIONS, 64 * 4);
             SecretKeyFactory skf = SecretKeyFactory.getInstance(hashType);
             byte[] hash = Base64.encodeBase64(skf.generateSecret(spec).getEncoded());
             String pbkdf2Type = null;
             switch (hashType) {
                 case "PBKDF2WithHmacSHA1":
                     pbkdf2Type = PBKDF2_SHA1;
                     break;
                 case "PBKDF2WithHmacSHA256":
                     pbkdf2Type = PBKDF2_SHA256;
                     break;
                 case "PBKDF2WithHmacSHA384":
                     pbkdf2Type = PBKDF2_SHA384;
                     break;
                 case "PBKDF2WithHmacSHA512":
                     pbkdf2Type = PBKDF2_SHA512;
                     break;
                 default:
                     pbkdf2Type = PBKDF2_SHA1;
             }
             StringBuilder sb = new StringBuilder();
             sb.append("{").append(pbkdf2Type).append("}");
             sb.append(PBKDF2_ITERATIONS).append("$");
             sb.append(org.apache.ofbiz.base.util.Base64.base64Encode(salt)).append("$");
             sb.append(new String(hash)).toString();
             return sb.toString();
         } catch (InvalidKeySpecException e) {
             throw new GeneralRuntimeException("Error while creating SecretKey", e);
         } catch (NoSuchAlgorithmException e) {
             throw new GeneralRuntimeException("Error while computing SecretKeyFactory", e);
         }
     }

     public static boolean doComparePbkdf2(String crypted, String password){
         try {
         	int typeEnd = crypted.indexOf("}");
             String hashType = crypted.substring(1, typeEnd);
             String[] parts = crypted.split("\\$");
             int iterations = Integer.parseInt(parts[0].substring(typeEnd+1));
             byte[] salt = org.apache.ofbiz.base.util.Base64.base64Decode(parts[1]).getBytes();
             byte[] hash = Base64.decodeBase64(parts[2].getBytes());

             PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterations, hash.length * 8);
             switch (hashType.substring(hashType.indexOf("-")+1)) {
                 case "SHA256":
                     hashType = "PBKDF2WithHmacSHA256";
                     break;
                 case "SHA384":
                     hashType = "PBKDF2WithHmacSHA384";
                     break;
                 case "SHA512":
                     hashType = "PBKDF2WithHmacSHA512";
                     break;
                 default:
                     hashType = "PBKDF2WithHmacSHA1";
             }
             SecretKeyFactory skf = SecretKeyFactory.getInstance(hashType);
             byte[] testHash = skf.generateSecret(spec).getEncoded();
             int diff = hash.length ^ testHash.length;

             for (int i = 0; i < hash.length && i < testHash.length; i++) {
                 diff |= hash[i] ^ testHash[i];
             }

             return diff == 0;
         } catch (NoSuchAlgorithmException e) {
             throw new GeneralRuntimeException("Error while computing SecretKeyFactory", e);
         } catch (InvalidKeySpecException e) {
             throw new GeneralRuntimeException("Error while creating SecretKey", e);
         }
     }

     private static String getSalt() {
         try {
             SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
             byte[] salt = new byte[16];
             sr.nextBytes(salt);
             return salt.toString();
         } catch (NoSuchAlgorithmException e) {
             throw new GeneralRuntimeException("Error while creating salt", e);
         }
     }

     /**
      * @deprecated use digestHash("SHA", null, str)
      */
     @Deprecated
     public static String getDigestHash(String str) {
         return digestHash("SHA", null, str);
     }

     /**
      * @deprecated use digestHash(hashType, null, str))
      */
     @Deprecated
     public static String getDigestHash(String str, String hashType) {
         return digestHash(hashType, null, str);
     }

     /**
      * @deprecated use digestHash(hashType, code, str);
      */
     @Deprecated
     public static String getDigestHash(String str, String code, String hashType) {
         return digestHash(hashType, code, str);
     }

     public static String digestHash(String hashType, String code, String str) {
         if (str == null) return null;
         byte[] codeBytes;
         try {
             if (code == null) codeBytes = str.getBytes();
             else codeBytes = str.getBytes(code);
         } catch (UnsupportedEncodingException e) {
             throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
         }
         return digestHash(hashType, codeBytes);
     }

     public static String digestHash(String hashType, byte[] bytes) {
         try {
             MessageDigest messagedigest = MessageDigest.getInstance(hashType);
             messagedigest.update(bytes);
             byte[] digestBytes = messagedigest.digest();
             char[] digestChars = Hex.encodeHex(digestBytes);

             StringBuilder sb = new StringBuilder();
             sb.append("{").append(hashType).append("}");
             sb.append(digestChars, 0, digestChars.length);
             return sb.toString();
         } catch (NoSuchAlgorithmException e) {
             throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
         }
     }

     public static String digestHash64(String hashType, byte[] bytes) {
         if (hashType == null) {
             hashType = "SHA";
         }
         try {
             MessageDigest messagedigest = MessageDigest.getInstance(hashType);
             messagedigest.update(bytes);
             byte[] digestBytes = messagedigest.digest();

             StringBuilder sb = new StringBuilder();
             sb.append("{").append(hashType).append("}");
             sb.append(Base64.encodeBase64URLSafeString(digestBytes).replace('+', '.'));
             return sb.toString();
         } catch (NoSuchAlgorithmException e) {
             throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
         }
     }

     /**
      * @deprecated use cryptPassword
      */
     @Deprecated
     public static String getHashTypeFromPrefix(String hashString) {
         if (UtilValidate.isEmpty(hashString) || hashString.charAt(0) != '{') {
             return null;
         }

         return hashString.substring(1, hashString.indexOf('}'));
     }

     /**
      * @deprecated use cryptPassword
      */
     @Deprecated
     public static String removeHashTypePrefix(String hashString) {
         if (UtilValidate.isEmpty(hashString) || hashString.charAt(0) != '{') {
             return hashString;
         }

         return hashString.substring(hashString.indexOf('}') + 1);
     }

     /**
      * @deprecated use digestHashOldFunnyHex(hashType, str)
      */
     @Deprecated
     public static String getDigestHashOldFunnyHexEncode(String str, String hashType) {
         return digestHashOldFunnyHex(hashType, str);
     }

     public static String digestHashOldFunnyHex(String hashType, String str) {
         if (UtilValidate.isEmpty(hashType)) hashType = "SHA";
         if (str == null) return null;
         try {
             MessageDigest messagedigest = MessageDigest.getInstance(hashType);
             byte[] strBytes = str.getBytes();

             messagedigest.update(strBytes);
             return oldFunnyHex(messagedigest.digest());
         } catch (Exception e) {
             Debug.logError(e, "Error while computing hash of type " + hashType, module);
         }
         return str;
     }

     // This next block should be removed when all {prefix}oldFunnyHex are fixed.
     private static String oldFunnyHex(byte[] bytes) {
         int k = 0;
         char[] digestChars = new char[bytes.length * 2];
         for (int l = 0; l < bytes.length; l++) {
             int i1 = bytes[l];

             if (i1 < 0) {
                 i1 = 127 + i1 * -1;
             }
             StringUtil.encodeInt(i1, k, digestChars);
             k += 2;
         }
         return new String(digestChars);
     }
 }
	/*******************************************************************************
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*******************************************************************************/
	package org.apache.ofbiz.base.crypto;

	import java.io.UnsupportedEncodingException;
	import java.security.MessageDigest;
	import java.security.NoSuchAlgorithmException;
	import java.security.SecureRandom;
	import java.security.spec.InvalidKeySpecException;

	import javax.crypto.SecretKeyFactory;
	import javax.crypto.spec.PBEKeySpec;

	import org.apache.commons.codec.binary.Base64;
	import org.apache.commons.codec.binary.Hex;
	import org.apache.commons.lang.RandomStringUtils;
	import org.apache.ofbiz.base.util.Debug;
	import org.apache.ofbiz.base.util.GeneralRuntimeException;
	import org.apache.ofbiz.base.util.StringUtil;
	import org.apache.ofbiz.base.util.UtilIO;
	import org.apache.ofbiz.base.util.UtilProperties;
	import org.apache.ofbiz.base.util.UtilValidate;

	/**
	* Utility class for doing SHA-1/MD5/PBKDF2 One-Way Hash Encryption
	*
	*/
	public class HashCrypt {

	public static final String module = HashCrypt.class.getName();
	public static final String CRYPT_CHAR_SET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./";

	private static final String PBKDF2_SHA1 ="PBKDF2-SHA1";
	private static final String PBKDF2_SHA256 ="PBKDF2-SHA256";
	private static final String PBKDF2_SHA384 ="PBKDF2-SHA384";
	private static final String PBKDF2_SHA512 ="PBKDF2-SHA512";
	private static final int PBKDF2_ITERATIONS = UtilProperties.getPropertyAsInteger("security.properties", "password.encrypt.pbkdf2.iterations", 10000);

	public static MessageDigest getMessageDigest(String type) {
	try {
	return MessageDigest.getInstance(type);
	} catch (NoSuchAlgorithmException e) {
	throw new GeneralRuntimeException("Could not load digestor(" + type + ")", e);
	}
	}

	public static boolean comparePassword(String crypted, String defaultCrypt, String password) {
	if (crypted.startsWith("{PBKDF2")) {
	return doComparePbkdf2(crypted, password);
	} else if (crypted.startsWith("{")) {
	// FIXME: should have been getBytes("UTF-8") originally
	return doCompareTypePrefix(crypted, defaultCrypt, password.getBytes());
	} else if (crypted.startsWith("$")) {
	return doComparePosix(crypted, defaultCrypt, password.getBytes(UtilIO.getUtf8()));
	} else {
	// FIXME: should have been getBytes("UTF-8") originally
	return doCompareBare(crypted, defaultCrypt, password.getBytes());
	}
	}

	private static boolean doCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) {
	int typeEnd = crypted.indexOf("}");
	String hashType = crypted.substring(1, typeEnd);
	String hashed = crypted.substring(typeEnd + 1);
	MessageDigest messagedigest = getMessageDigest(hashType);
	messagedigest.update(bytes);
	byte[] digestBytes = messagedigest.digest();
	char[] digestChars = Hex.encodeHex(digestBytes);
	String checkCrypted = new String(digestChars);
	if (hashed.equals(checkCrypted)) {
	return true;
	}
	// This next block should be removed when all {prefix}oldFunnyHex are fixed.
	if (hashed.equals(oldFunnyHex(digestBytes))) {
	Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted);
	return true;
	}
	return false;
	}

	private static boolean doComparePosix(String crypted, String defaultCrypt, byte[] bytes) {
	int typeEnd = crypted.indexOf("$", 1);
	int saltEnd = crypted.indexOf("$", typeEnd + 1);
	String hashType = crypted.substring(1, typeEnd);
	String salt = crypted.substring(typeEnd + 1, saltEnd);
	String hashed = crypted.substring(saltEnd + 1);
	return hashed.equals(getCryptedBytes(hashType, salt, bytes));
	}

	private static boolean doCompareBare(String crypted, String defaultCrypt, byte[] bytes) {
	String hashType = defaultCrypt;
	String hashed = crypted;
	MessageDigest messagedigest = getMessageDigest(hashType);
	messagedigest.update(bytes);
	return hashed.equals(oldFunnyHex(messagedigest.digest()));
	}

	/*
	* @deprecated use cryptBytes(hashType, salt, password); eventually, use
	* cryptUTF8(hashType, salt, password) after all existing installs are
	* salt-based. If the call-site of cryptPassword is just used to create a new
	* value, then you can switch to cryptUTF8 directly.
	*/
	@Deprecated
	public static String cryptPassword(String hashType, String salt, String password) {
	if (hashType.startsWith("PBKDF2")) {
	return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null;
	}
	// FIXME: should have been getBytes("UTF-8") originally
	return password != null ? cryptBytes(hashType, salt, password.getBytes()) : null;
	}

	public static String cryptUTF8(String hashType, String salt, String value) {
	if (hashType.startsWith("PBKDF2")) {
	return value != null ? pbkdf2HashCrypt(hashType, salt, value) : null;
	}
	return value != null ? cryptBytes(hashType, salt, value.getBytes(UtilIO.getUtf8())) : null;
	}

	public static String cryptValue(String hashType, String salt, String value) {
	if (hashType.startsWith("PBKDF2")) {
	return value != null ? pbkdf2HashCrypt(hashType, salt, value) : null;
	}
	return value != null ? cryptBytes(hashType, salt, value.getBytes()) : null;
	}

	public static String cryptBytes(String hashType, String salt, byte[] bytes) {
	if (hashType == null) {
	hashType = "SHA";
	}
	if (salt == null) {
	salt = RandomStringUtils.random(new SecureRandom().nextInt(15) + 1, CRYPT_CHAR_SET);
	}
	StringBuilder sb = new StringBuilder();
	sb.append("$").append(hashType).append("$").append(salt).append("$");
	sb.append(getCryptedBytes(hashType, salt, bytes));
	return sb.toString();
	}

	private static String getCryptedBytes(String hashType, String salt, byte[] bytes) {
	try {
	MessageDigest messagedigest = MessageDigest.getInstance(hashType);
	messagedigest.update(salt.getBytes(UtilIO.getUtf8()));
	messagedigest.update(bytes);
	return Base64.encodeBase64URLSafeString(messagedigest.digest()).replace('+', '.');
	} catch (NoSuchAlgorithmException e) {
	throw new GeneralRuntimeException("Error while comparing password", e);
	}
	}

	public static String pbkdf2HashCrypt(String hashType, String salt, String value){
	char[] chars = value.toCharArray();
	if (UtilValidate.isEmpty(salt)) {
	salt = getSalt();
	}
	try {
	PBEKeySpec spec = new PBEKeySpec(chars, salt.getBytes(UtilIO.getUtf8()), PBKDF2_ITERATIONS, 64 * 4);
	SecretKeyFactory skf = SecretKeyFactory.getInstance(hashType);
	byte[] hash = Base64.encodeBase64(skf.generateSecret(spec).getEncoded());
	String pbkdf2Type = null;
	switch (hashType) {
	case "PBKDF2WithHmacSHA1":
	pbkdf2Type = PBKDF2_SHA1;
	break;
	case "PBKDF2WithHmacSHA256":
	pbkdf2Type = PBKDF2_SHA256;
	break;
	case "PBKDF2WithHmacSHA384":
	pbkdf2Type = PBKDF2_SHA384;
	break;
	case "PBKDF2WithHmacSHA512":
	pbkdf2Type = PBKDF2_SHA512;
	break;
	default:
	pbkdf2Type = PBKDF2_SHA1;
	}
	StringBuilder sb = new StringBuilder();
	sb.append("{").append(pbkdf2Type).append("}");
	sb.append(PBKDF2_ITERATIONS).append("$");
	sb.append(org.apache.ofbiz.base.util.Base64.base64Encode(salt)).append("$");
	sb.append(new String(hash)).toString();
	return sb.toString();
	} catch (InvalidKeySpecException e) {
	throw new GeneralRuntimeException("Error while creating SecretKey", e);
	} catch (NoSuchAlgorithmException e) {
	throw new GeneralRuntimeException("Error while computing SecretKeyFactory", e);
	}
	}

	public static boolean doComparePbkdf2(String crypted, String password){
	try {
	int typeEnd = crypted.indexOf("}");
	String hashType = crypted.substring(1, typeEnd);
	String[] parts = crypted.split("\\$");
	int iterations = Integer.parseInt(parts[0].substring(typeEnd+1));
	byte[] salt = org.apache.ofbiz.base.util.Base64.base64Decode(parts[1]).getBytes();
	byte[] hash = Base64.decodeBase64(parts[2].getBytes());

	PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterations, hash.length * 8);
	switch (hashType.substring(hashType.indexOf("-")+1)) {
	case "SHA256":
	hashType = "PBKDF2WithHmacSHA256";
	break;
	case "SHA384":
	hashType = "PBKDF2WithHmacSHA384";
	break;
	case "SHA512":
	hashType = "PBKDF2WithHmacSHA512";
	break;
	default:
	hashType = "PBKDF2WithHmacSHA1";
	}
	SecretKeyFactory skf = SecretKeyFactory.getInstance(hashType);
	byte[] testHash = skf.generateSecret(spec).getEncoded();
	int diff = hash.length ^ testHash.length;

	for (int i = 0; i < hash.length && i < testHash.length; i++) {
	diff \|= hash[i] ^ testHash[i];
	}

	return diff == 0;
	} catch (NoSuchAlgorithmException e) {
	throw new GeneralRuntimeException("Error while computing SecretKeyFactory", e);
	} catch (InvalidKeySpecException e) {
	throw new GeneralRuntimeException("Error while creating SecretKey", e);
	}
	}

	private static String getSalt() {
	try {
	SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
	byte[] salt = new byte[16];
	sr.nextBytes(salt);
	return salt.toString();
	} catch (NoSuchAlgorithmException e) {
	throw new GeneralRuntimeException("Error while creating salt", e);
	}
	}

	/**
	* @deprecated use digestHash("SHA", null, str)
	*/
	@Deprecated
	public static String getDigestHash(String str) {
	return digestHash("SHA", null, str);
	}

	/**
	* @deprecated use digestHash(hashType, null, str))
	*/
	@Deprecated
	public static String getDigestHash(String str, String hashType) {
	return digestHash(hashType, null, str);
	}

	/**
	* @deprecated use digestHash(hashType, code, str);
	*/
	@Deprecated
	public static String getDigestHash(String str, String code, String hashType) {
	return digestHash(hashType, code, str);
	}

	public static String digestHash(String hashType, String code, String str) {
	if (str == null) return null;
	byte[] codeBytes;
	try {
	if (code == null) codeBytes = str.getBytes();
	else codeBytes = str.getBytes(code);
	} catch (UnsupportedEncodingException e) {
	throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
	}
	return digestHash(hashType, codeBytes);
	}

	public static String digestHash(String hashType, byte[] bytes) {
	try {
	MessageDigest messagedigest = MessageDigest.getInstance(hashType);
	messagedigest.update(bytes);
	byte[] digestBytes = messagedigest.digest();
	char[] digestChars = Hex.encodeHex(digestBytes);

	StringBuilder sb = new StringBuilder();
	sb.append("{").append(hashType).append("}");
	sb.append(digestChars, 0, digestChars.length);
	return sb.toString();
	} catch (NoSuchAlgorithmException e) {
	throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
	}
	}

	public static String digestHash64(String hashType, byte[] bytes) {
	if (hashType == null) {
	hashType = "SHA";
	}
	try {
	MessageDigest messagedigest = MessageDigest.getInstance(hashType);
	messagedigest.update(bytes);
	byte[] digestBytes = messagedigest.digest();

	StringBuilder sb = new StringBuilder();
	sb.append("{").append(hashType).append("}");
	sb.append(Base64.encodeBase64URLSafeString(digestBytes).replace('+', '.'));
	return sb.toString();
	} catch (NoSuchAlgorithmException e) {
	throw new GeneralRuntimeException("Error while computing hash of type " + hashType, e);
	}
	}

	/**
	* @deprecated use cryptPassword
	*/
	@Deprecated
	public static String getHashTypeFromPrefix(String hashString) {
	if (UtilValidate.isEmpty(hashString) \|\| hashString.charAt(0) != '{') {
	return null;
	}

	return hashString.substring(1, hashString.indexOf('}'));
	}

	/**
	* @deprecated use cryptPassword
	*/
	@Deprecated
	public static String removeHashTypePrefix(String hashString) {
	if (UtilValidate.isEmpty(hashString) \|\| hashString.charAt(0) != '{') {
	return hashString;
	}

	return hashString.substring(hashString.indexOf('}') + 1);
	}

	/**
	* @deprecated use digestHashOldFunnyHex(hashType, str)
	*/
	@Deprecated
	public static String getDigestHashOldFunnyHexEncode(String str, String hashType) {
	return digestHashOldFunnyHex(hashType, str);
	}

	public static String digestHashOldFunnyHex(String hashType, String str) {
	if (UtilValidate.isEmpty(hashType)) hashType = "SHA";
	if (str == null) return null;
	try {
	MessageDigest messagedigest = MessageDigest.getInstance(hashType);
	byte[] strBytes = str.getBytes();

	messagedigest.update(strBytes);
	return oldFunnyHex(messagedigest.digest());
	} catch (Exception e) {
	Debug.logError(e, "Error while computing hash of type " + hashType, module);
	}
	return str;
	}

	// This next block should be removed when all {prefix}oldFunnyHex are fixed.
	private static String oldFunnyHex(byte[] bytes) {
	int k = 0;
	char[] digestChars = new char[bytes.length * 2];
	for (int l = 0; l < bytes.length; l++) {
	int i1 = bytes[l];

	if (i1 < 0) {
	i1 = 127 + i1 * -1;
	}
	StringUtil.encodeInt(i1, k, digestChars);
	k += 2;
	}
	return new String(digestChars);
	}
	}