Package com.bitbucket.thinbus.srp6.js

Class HexHashedVerifierGenerator

  • public class HexHashedVerifierGenerator
extends Object
    Generates a SRP6 verifier. WARNING: You should use the JavaScript client not the Java client for generating the verifier. See the TestSRP6JavascriptClientSessionSHA256.js for an example. A valid use case for generating a verifier using server code would be if a user lost their password and you were generating a temporary password and verifier to email out to the client. Certainly you SHOULD avoid this code ever being run against a real user password which is transmitted to the server which is something which SRP is designed to avoid.

    • Field Detail

      • config

        protected final com.nimbusds.srp6.SRP6CryptoParams config

    • Constructor Detail

      • HexHashedVerifierGenerator

        public HexHashedVerifierGenerator​(String N,
                                  String g,
                                  String hashName)
        Parameters:
        N - The large safe prime in radix10
        g - The safe prime generator in radix10
        hashName - The name of the hashing algorithm e.g. SHA256

    • Method Detail

      • generateVerifier

        public String generateVerifier​(String salt,
                               String identity,
                               String password)
        Browser does string concat version of x = H(s | H(i | ":" | p)). Specification is RFC 5054 Which we repeat here to be able to reset the password in a java client.
        Parameters:
        salt - The random salt stored at user registration
        identity - The user username
        password - The user password. Note this should only ever be on java clients and never sent to the java server.
        Returns:
        An SRP password verifier