php Question posted in
Official manual can be found here.

Shiro … how to reset a PW within a PHP application

we have an (old) Java Web-Application, using Shiro – works like a charm – since ages 😉

What we need is the possibility to "reset" an existing user PW from an PHP application (lets call it the "Admin-Tool").

As Shiro is using – in our case – sha-256 & 500000 rounds & a salt,
I thought i can use PHP’s crypt function, but …

./java -jar shiro-tools-hasher-1.4.0-RC2-cli.jar -ngs -s 1234567890123456 -d -p
        Password to hash:       <-- a
        
        $shiro1$SHA-256$500000$MTIzNDU2Nzg5MDEyMzQ1Ng==$le2T939sZTe4upbz0wct6NAjtxVmpM+Bl7UAoW+wJi4=

and with PHP’s crypt function

>>> crypt('a','$5$rounds=500000$1234567890123456$')
=> "$5$rounds=500000$1234567890123456$vx0mjR6hsoTYlO37/QObVyFIlVZ/ikTMIwyl/035wf."

(the first 5 – according to the docs – points to sha-256)

So,

 Shiro: le2T939sZTe4upbz0wct6NAjtxVmpM+Bl7UAoW+wJi4=
 crypt: vx0mjR6hsoTYlO37/QObVyFIlVZ/ikTMIwyl/035wf.

unfortunately they are different.

Question: what am i doing wrong? And even of more interest .. how to do it the correct way?

Thank you.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    guess i found a solution, unfortunately without iterations, but should do the job at least for now ...

    Shiro Hasher:

    ./shiro-tools-hasher>java -jar shiro-tools-hasher-1.4.0-RC2-cli.jar -ngs -s 1234567890123456  -d -p -i 1
Password to hash:       <- a

$shiro1$SHA-256$1$MTIzNDU2Nzg5MDEyMzQ1Ng==$f2LomMDO1Ya3GxQfMdBWSULYfCyR+5lvkPpkRLnNals=

    same with PHP

    >>> base64_encode(hash('sha256', '1234567890123456'.'a', true))         <- salt and PW have to be concatenated
=> "f2LomMDO1Ya3GxQfMdBWSULYfCyR+5lvkPpkRLnNals="

    and the shiro-salt in php =>

    >>> base64_encode("1234567890123456")
=> "MTIzNDU2Nzg5MDEyMzQ1Ng=="

  2. 0

    … and now even with (the formerly missing) iterations, a PHP function and a few test …

    main.php

    <?php

    require_once 'shiro.php';

    $plain_text_pw = 'maxxmaxx';
    $salt = '1234567890123457';
    $number_of_iterations = 500;

    $secret = shiro_hasher($plain_text_pw, $salt, $number_of_iterations);

    echo $secret;

?>

    shiro.php

    <?php

    function shiro_hasher($plainTextPw, $salt, $numberOfIterations) {

        $actualHash = hash('sha256', $salt.$plainTextPw, true);     // in the first round, we prefix the PW with the salt (but only once)

        $actualIterations = 1;

        while ($actualIterations < $numberOfIterations) {
            $actualHash = hash('sha256', $actualHash, true);        // in further iterations we just hash the hash
            $actualIterations++;
        }

        return base64_encode($actualHash);                          // in the end, we output the hashed hash as base64-string
    }

    function shiro_string($plainTextPw, $salt, $numberOfIterations) {

        $shiro_prefix = '$shiro1$SHA-256';

        $pw_hash = shiro_hasher($plainTextPw, $salt, $numberOfIterations);

        $salt_base64 = base64_encode($salt);

        return $shiro_prefix."$".$numberOfIterations."$".$salt_base64."$".$pw_hash;

    }

?>

    tests.php

    <?php

    require_once 'shiro.php';

    /*

    ./java -jar shiro-tools-hasher-1.4.0-RC2-cli.jar -ngs -s 1234567890123456  -d -p -i 1
    Password to hash: a
    $shiro1$SHA-256$1$MTIzNDU2Nzg5MDEyMzQ1Ng==$f2LomMDO1Ya3GxQfMdBWSULYfCyR+5lvkPpkRLnNals=

    */

    $plain_text_pw = 'a';
    $salt = '1234567890123456';
    $number_of_iterations = 1;

    $secret = shiro_hasher($plain_text_pw, $salt, $number_of_iterations);
    $complete_line = shiro_string($plain_text_pw, $salt, $number_of_iterations);

    assert($secret == 'f2LomMDO1Ya3GxQfMdBWSULYfCyR+5lvkPpkRLnNals=', 'wtf!');
    assert($complete_line == '$shiro1$SHA-256$1$MTIzNDU2Nzg5MDEyMzQ1Ng==$f2LomMDO1Ya3GxQfMdBWSULYfCyR+5lvkPpkRLnNals=');

    // -------------------------------------------------------------------------------------

    /*

    ./java -jar shiro-tools-hasher-1.4.0-RC2-cli.jar -ngs -s 1234567890123456  -d -p -i 2
    Password to hash: a
    $shiro1$SHA-256$2$MTIzNDU2Nzg5MDEyMzQ1Ng==$PTE/22Yoh3hRmUSTUo/mAVwF21dqKosS7ZDHkjC4xyI=

    */

    $plain_text_pw = 'a';
    $salt = '1234567890123456';
    $number_of_iterations = 2;

    $secret = shiro_hasher($plain_text_pw, $salt, $number_of_iterations);
    $complete_line = shiro_string($plain_text_pw, $salt, $number_of_iterations);

    assert($secret == 'PTE/22Yoh3hRmUSTUo/mAVwF21dqKosS7ZDHkjC4xyI=', 'wtf!');
    assert($complete_line == '$shiro1$SHA-256$2$MTIzNDU2Nzg5MDEyMzQ1Ng==$PTE/22Yoh3hRmUSTUo/mAVwF21dqKosS7ZDHkjC4xyI=');

    // -------------------------------------------------------------------------------------

    /*

    ./java -jar shiro-tools-hasher-1.4.0-RC2-cli.jar -ngs -s 1234567890123457  -d -p -i 500
    Password to hash: SuperSecret!
    $shiro1$SHA-256$500$MTIzNDU2Nzg5MDEyMzQ1Nw==$BluUYz+bNApB41hN8Ar7A0iKq3pFBs8m2Onuz3ftw+c=

    */

    $plain_text_pw = 'SuperSecret!';
    $salt = '1234567890123457';
    $number_of_iterations = 500;

    $secret = shiro_hasher($plain_text_pw, $salt, $number_of_iterations);
    $complete_line = shiro_string($plain_text_pw, $salt, $number_of_iterations);

    assert($secret == 'BluUYz+bNApB41hN8Ar7A0iKq3pFBs8m2Onuz3ftw+c=', 'wtf!');
    assert($complete_line == '$shiro1$SHA-256$500$MTIzNDU2Nzg5MDEyMzQ1Nw==$BluUYz+bNApB41hN8Ar7A0iKq3pFBs8m2Onuz3ftw+c=');

?>
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search