How to match crowd database passwords?

Question

I would like to have a piece of code that is able to check if a given password match the one stored in the crowd cwd_user table.

The passwords in that table starts with "{PKCS5S2}..." and I found in the link below that crowd is using the PBKDF2 algorithm:

The default is "Atlassian Security", which is currently a dumb wrapper around Bouncy Castle's implementation of PKCS 5 version 2 (aka PBKDF2), using a random 16 byte salt, 10, 000 iterations, and generating a 256-bit hash as the final output

https://answers.atlassian.com/questions/235858/password-security

Is anybody able to provide me a method I can use to match that password?

For example, if I create a user "toto" with password "1234", I get the following row in my database :

user_name     credential                                                                
------------- ------------------------------------------------------------------------- 
toto          {PKCS5S2}m+u8ed1RKRew3jjHPilZw0ICL6BG/qyeN+kVRRS9nsO+VK7Q5I0vCK3gLvCFWC3n 

I would like a method such that:

public String getHash(String rowPassword){
    // ?????
}

where

getHash("1234") returns "{PKCS5S2}m+u8ed1RKRew3jjHPilZw0ICL6BG/qyeN+kVRRS9nsO+VK7Q5I0vCK3gLvCFWC3n" 

Answer 1

As a Crowd customer, you have access to the class AtlassianSecurityPasswordEncoder which is exactly that.

The underlying encoder chooses a random salt, ignoring the one passed in, so encodePassword won't give you the same hash each time. Use isPasswordValid to confirm that the password and hash match.