Java计算字符串SHA-1摘要的十六进制表示

使用apache common codec库：

DigestUtils.sha1Hex("aff")

出现这种情况，是因为cript.digest()返回一个字节数组，你试图将其作为字符字符串输出。你需要将其转换为可打印的十六进制字符串。

简单的解决方案：使用Apache的commons-codec库：

String password = new String(Hex.encodeHex(cript.digest()),
                             CharSet.forName("UTF-8"));

一个哈希算法的迭代不够安全。它运行得太快了。您需要通过多次迭代哈希来执行密钥强化。

此外，您没有对密码进行盐值处理。这会导致预先计算字典（如“彩虹表”）的漏洞。

与其尝试编写自己的代码（或使用一些可疑的第三方软件）来正确执行此操作，不如使用 Java 运行时中内置的代码。有关详细信息，请参见此答案。

一旦正确地对密码进行了哈希，您将拥有一个 byte[]。将其转换为十六进制 String 的简单方法是使用 BigInteger 类：

String passwordHash = new BigInteger(1, cript.digest()).toString(16);

如果您想确保字符串始终具有40个字符，则可能需要在左侧使用零进行一些填充（可以使用String.format()来完成此操作）。

如果您不想向您的项目添加任何额外的依赖项，您也可以使用

MessageDigest digest = MessageDigest.getInstance("SHA-1");
digest.update(message.getBytes("utf8"));
byte[] digestBytes = digest.digest();
String digestStr = javax.xml.bind.DatatypeConverter.printHexBinary(digestBytes);

crypt.digest()方法返回一个byte[]。这个byte数组是正确的SHA-1摘要，但是加密哈希通常以十六进制形式显示给人类。你哈希中的每个字节将导致两个十六进制数字。

为了安全地将字节转换为十六进制，请使用以下方法：

// %1$ == arg 1
// 02  == pad with 0's
// x   == convert to hex
String hex = String.format("%1$02x", byteValue);

这段代码片段可用于将字符转换为十六进制：

/*
 * Copyright (c) 1995, 2008, Oracle and/or its affiliates. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Oracle or the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */ 
import java.io.*;

public class UnicodeFormatter  {

   static public String byteToHex(byte b) {
      // Returns hex String representation of byte b
      char hexDigit[] = {
         '0', '1', '2', '3', '4', '5', '6', '7',
         '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
      };
      char[] array = { hexDigit[(b >> 4) & 0x0f], hexDigit[b & 0x0f] };
      return new String(array);
   }

   static public String charToHex(char c) {
      // Returns hex String representation of char c
      byte hi = (byte) (c >>> 8);
      byte lo = (byte) (c & 0xff);
      return byteToHex(hi) + byteToHex(lo);
   }
}

<dependency>
   <artifactId>guava</artifactId>
   <groupId>com.google.guava</groupId>
   <version>14.0.1</version>
</dependency>

样例：

HashCode hashCode = Hashing.sha1().newHasher()
   .putString(password, Charsets.UTF_8)
   .hash();            

String hash = BaseEncoding.base16().lowerCase().encode(hashCode.asBytes());

MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder("SHA-1");
String hash = encoder.encodePassword(password, "salt goes here");

1. 进行多轮加密，以使暴力破解攻击变得更慢
2. 使用每个记录的“盐”作为哈希算法的输入，除了密码之外，使字典攻击变得不太可行，并避免输出冲突。
3. 使用“pepper”，即应用程序配置设置作为哈希算法的输入，使具有未知“pepper”的窃取数据库转储无用。
4. 填充输入以避免某些哈希算法中的弱点，例如，在不知道密码的情况下附加字符到密码中，通过修改哈希来实现。

有关更多信息，请参见：

• https://password-hashing.net/
• http://en.wikipedia.org/wiki/Category:Key_derivation_functions
• http://en.wikipedia.org/wiki/PBKDF2
• http://en.wikipedia.org/wiki/Scrypt

var cript = MessageDigest.getInstance("sha1");
var hexformat = HexFormat.of();
this.password = hexformat.formatHex(cript.digest(userPass.getBytes(StandardCharsets.UTF_8)))

        MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
        messageDigest.reset();
        messageDigest.update(password.getBytes("UTF-8"));
        String sha1String = new BigInteger(1, messageDigest.digest()).toString(16);