<?php

// GIST shows how to validate a shiro1 password hash in Java. 
// The original mcf_string was created via the Shiro Command Liner Hasher: https://shiro.apache.org/command-line-hasher.html
// With these args: java -jar shiro-tools-hasher-1.3.2-cli.jar --algorithm SHA-512 --nogensalt --saltbytes <BASE64_ENCODED_SALT> --iterations 500000 --password Jenydoby6! 
// Extract the password hash. Below is an example hash

$mcf_string = '$shiro1$SHA-512$500000$ctYP52a2Sp2yIjzzlJAuPg==$ctZ4gQtNd7bKI0SWtktRAiP4Xzgk66sabg3pj0pQBmKZmgG7KAXZqAhBJJ3cCTqenfqi4LTgeZnh4waL6oMH+w==';

$parts = \explode('$', $mcf_string);

$iterations = $parts[3];
$b64_salt = $parts[4];
$b64_hash = $parts[5];

// Decode the b64 salt to get the salt byte array
$salt = \base64_decode($b64_salt);

// Have the user input a plaintext password. Below is an example password
$plaintext_password = 'Jenydoby6!';

// Hash with the salt one time
$hash = hash('sha512', $salt.$plaintext_password, $raw_output=true);

// Hash the above hash without the salt, up to the iteration count
for ($i=0; $i<$iterations-1; $i++) {
    $hash = hash('sha512', $hash, $raw_output=true);
}

// Base64 encode the resulting hash
$hash =	\base64_encode($hash);

echo("Original MCF hash: ".$b64_hash."\n");
echo("Created hash: ".$hash."\n");

if ($hash === $b64_hash) {
   echo "Success! Both hashes match!\n";
} else {
   echo "Passwords do not match.\n";
}

?>