How to port ASP.NET Identity users to Java Servlets

Question

I have a website that I am trying to port from Asp.NET to Java Servlets and need to port the AspNetUsers table.

I need to know the algorithm that Asp.NET identity uses to hash passwords so I can verify old users' passwords and create new hashes for new users in Java.

I know that Asp.NET uses a SHA-1 algorithm that I can replicate with ApacheCommons DigestUtils class, but I do not know the salt that Asp.NET uses so I can't verify passwords.

I can take an algorithm explanation but exact code would be better.

[this](https://stackoverflow.com/questions/19957176/asp-net-identity-password-hashing/21496255#21496255) might help — Jimenemex, Jan 02 '19 at 21:59

Heng Ye · Accepted Answer · 2019-12-14T16:55:18.960

I viewed the page mentioned by Jimenemex above, I found that Identity uses the method Rfc2898DeriveBytes to generate the salt. I can now use this library for Java to generate the hash.

Ported code:

public static String hashPassword(String password) throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
    byte[] salt;
    byte[] buffer2;
    if (password == null)
        throw new IllegalArgumentException("password");
    Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password,new byte[0x10],0x3e8);
    salt = bytes.getSalt();
    buffer2 = bytes.getBytes(0x20);
    byte[] dst = new byte[0x31];
    System.arraycopy(salt, 0, dst, 1, 0x10);
    System.arraycopy(buffer2, 0, dst, 0x11, 0x20);
    return Base64.encodeBase64String(dst);

}
public static boolean verifyHashedPassword(String hashedPassword, String password) throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
    byte[] buffer4;
    if (hashedPassword == null)
        return false;
    if (password == null)
        throw new IllegalArgumentException("password");
    byte[] src = Base64.decodeBase64(hashedPassword);
    if ((src.length != 0x31) || (src[0] != 0))
       return false;
    byte[] dst = new byte[0x10];
    System.arraycopy(src, 1, dst, 0, 0x10);
    byte[] buffer3 = new byte[0x20];
    System.arraycopy(src, 0x11, buffer3, 0, 0x20);
    Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password,dst,0x3e8);
    buffer4 = bytes.getBytes(0x20);
    return Arrays.equals(buffer3, buffer4);



}

(RFC2898DeriveBytes class is from the above mentioned library)

could you please share your implementation, i got stuck at same place. — noman404, Nov 29 '19 at 01:43

How to port ASP.NET Identity users to Java Servlets

1 Answers1