Compare the credentials.
We have at least 6 algorithms to encrypt the password :
- - SHA
- - SSHA (salted SHA)
- - SHA-2(256, 384 and 512 and their salted versions)
- - MD5
- - SMD5 (slated MD5)
- - PKCS5S2 (PBKDF2)
- - crypt (unix crypt)
- - plain text, ie no encryption.
If we get an encrypted password, it is prefixed by the used algorithm, between
brackets : {SSHA}password ...
If the password is using SSHA, SMD5 or crypt, some 'salt' is added to the password :
- - length(password) - 20, starting at 21st position for SSHA
- - length(password) - 16, starting at 16th position for SMD5
- - length(password) - 2, starting at 3rd position for crypt
For (S)SHA, SHA-256 and (S)MD5, we have to transform the password from Base64 encoded text
to a byte[] before comparing the password with the stored one.
For PKCS5S2 the salt is stored in the beginning of the password
For crypt, we only have to remove the salt.
At the end, we use the digest() method for (S)SHA and (S)MD5, the crypt() method for
the CRYPT algorithm and a straight comparison for PLAIN TEXT passwords.
The stored password is always using the unsalted form, and is stored as a bytes array.