mdeggies/shiro-hash-validation.php

## shiro-hash-validation.php
<?php

// GIST shows how to validate a shiro1 password hash in Java.
// The original mcf_string was created via the Shiro Command Liner Hasher: https://shiro.apache.org/command-line-hasher.html
// With these args: java -jar shiro-tools-hasher-1.3.2-cli.jar --algorithm SHA-512 --nogensalt --saltbytes <BASE64_ENCODED_SALT> --iterations 500000 --password Jenydoby6!
// Extract the password hash. Below is an example hash

$mcf_string = '$shiro1$SHA-512$500000$ctYP52a2Sp2yIjzzlJAuPg==$ctZ4gQtNd7bKI0SWtktRAiP4Xzgk66sabg3pj0pQBmKZmgG7KAXZqAhBJJ3cCTqenfqi4LTgeZnh4waL6oMH+w==';

$parts = \explode('$', $mcf_string);

$iterations = $parts[3];
$b64_salt = $parts[4];
$b64_hash = $parts[5];

// Decode the b64 salt to get the salt byte array
$salt = \base64_decode($b64_salt);

// Have the user input a plaintext password. Below is an example password
$plaintext_password = 'Jenydoby6!';

// Hash with the salt one time
$hash = hash('sha512', $salt.$plaintext_password, $raw_output=true);

// Hash the above hash without the salt, up to the iteration count
for ($i=0; $i<$iterations-1; $i++) {
    $hash = hash('sha512', $hash, $raw_output=true);
}

// Base64 encode the resulting hash
$hash =	\base64_encode($hash);

echo("Original MCF hash: ".$b64_hash."\n");
echo("Created hash: ".$hash."\n");

if ($hash === $b64_hash) {
   echo "Success! Both hashes match!\n";
} else {
   echo "Passwords do not match.\n";
}

?>
	<?php

	// GIST shows how to validate a shiro1 password hash in Java.
	// The original mcf_string was created via the Shiro Command Liner Hasher: https://shiro.apache.org/command-line-hasher.html
	// With these args: java -jar shiro-tools-hasher-1.3.2-cli.jar --algorithm SHA-512 --nogensalt --saltbytes <BASE64_ENCODED_SALT> --iterations 500000 --password Jenydoby6!
	// Extract the password hash. Below is an example hash

	$mcf_string = '$shiro1$SHA-512$500000$ctYP52a2Sp2yIjzzlJAuPg==$ctZ4gQtNd7bKI0SWtktRAiP4Xzgk66sabg3pj0pQBmKZmgG7KAXZqAhBJJ3cCTqenfqi4LTgeZnh4waL6oMH+w==';

	$parts = \explode('$', $mcf_string);

	$iterations = $parts[3];
	$b64_salt = $parts[4];
	$b64_hash = $parts[5];

	// Decode the b64 salt to get the salt byte array
	$salt = \base64_decode($b64_salt);

	// Have the user input a plaintext password. Below is an example password
	$plaintext_password = 'Jenydoby6!';

	// Hash with the salt one time
	$hash = hash('sha512', $salt.$plaintext_password, $raw_output=true);

	// Hash the above hash without the salt, up to the iteration count
	for ($i=0; $i<$iterations-1; $i++) {
	$hash = hash('sha512', $hash, $raw_output=true);
	}

	// Base64 encode the resulting hash
	$hash = \base64_encode($hash);

	echo("Original MCF hash: ".$b64_hash."\n");
	echo("Created hash: ".$hash."\n");

	if ($hash === $b64_hash) {
	echo "Success! Both hashes match!\n";
	} else {
	echo "Passwords do not match.\n";
	}

	?>