How can I generate an MD5 hash in Java?
MD5 might be unsafe as a one-way security feature, but it is still good for generic checksum applications.
34 Answers 34
The MessageDigest class can provide you with an instance of the MD5 digest.
When working with strings and the crypto classes be sure to always specify the encoding you want the byte representation in. If you just use string.getBytes() it will use the platform default. (Not all platforms use the same defaults)
import java.security.*; .. byte[] bytesOfMessage = yourString.getBytes("UTF-8"); MessageDigest md = MessageDigest.getInstance("MD5"); byte[] theMD5digest = md.digest(bytesOfMessage); If you have a lot of data take a look at the .update(xxx) methods which can be called repeatedly. Then call .digest() to obtain the resulting hash.
“LATIN1” != “ASCII” (or “US-ASCII”). ASCII is a 7-bit character set, Latin1 is an 8-bit character set. They are not the same.
Better yet, where possible use yourString.getBytes(StandardCharsets.UTF_8) . This prevents handling an UnsupportedEncodingException .
Call MessageDigest.getInstance(«MD5») to get a MD5 instance of MessageDigest you can use.
The compute the hash by doing one of:
- Feed the entire input as a byte[] and calculate the hash in one operation with md.digest(bytes) .
- Feed the MessageDigest one byte[] chunk at a time by calling md.update(bytes) . When you’re done adding input bytes, calculate the hash with md.digest() .
The byte[] returned by md.digest() is the MD5 hash.
One thing that’s not mentioned here, and caught me by surprise. The MessageDigest classes are NOT thread safe. If they’re going to be used by different threads, just create a new one, instead of trying to reuse them.
It uses multiple methods to mutate its internal state. How can the lack of thread safety be surprising at all?
@DanBarowy well, you are mutating it (i.e. calling methods that do not return values but cause other methods to return different values) so until proven otherwise you should always assume that it’s not thread-safe to do so.
@Traubenfuchs MessageDigest allows you to input the data in chunks. That wouldn’t be possible with a static method. Although you can argue they should have added one anyway for convenience when you can pass all the data at once.
If you actually want the answer back as a string as opposed to a byte array, you could always do something like this:
String plaintext = "your text here"; MessageDigest m = MessageDigest.getInstance("MD5"); m.reset(); m.update(plaintext.getBytes()); byte[] digest = m.digest(); BigInteger bigInt = new BigInteger(1,digest); String hashtext = bigInt.toString(16); // Now we need to zero pad it if you actually want the full 32 chars. while(hashtext.length() @BalusC: Not true, the BigInteger.toString method will return the full number in the base specified. 0x0606 will be printed as 606, just trailing zeros are omitted,
Minor nitpick: m.reset() isn’t necessary right after calling getInstance. More minor: ‘your text here’ requires double-quotes.
From Java 11 on, you can use hashtext = «0».repeat(32 — hashtext.length()) + hashtext instead of the while , so the editors won’t give you a warning that you’re doing string concatenation inside a loop.
Instead of m.update(plaintext.getBytes()); I would recommend specifying the encoding. such as m.update(plaintext.getBytes(«UTF-8»)); getBytes() does not guarantee the encoding and may vary from system to system which may result in different MD5 results between systems for the same String.
You might also want to look at the DigestUtils class of the apache commons codec project, which provides very convenient methods to create MD5 or SHA digests.
In particular, the methods which return «safe» encoded representations of the byte data in string form.
However there is no easy way to get the DigestUtils class into your project without adding a ton of libs, or porting the class «per hand» which requires at least two more classes.
Should be in the central Maven repositories, unless I’m going crazy: groupId=commons-codec artifactId=commons-codec version=1.5
public String MD5(String md5) < try < java.security.MessageDigest md = java.security.MessageDigest.getInstance("MD5"); byte[] array = md.digest(md5.getBytes()); StringBuffer sb = new StringBuffer(); for (int i = 0; i < array.length; ++i) < sb.append(Integer.toHexString((array[i] & 0xFF) | 0x100).substring(1,3)); >return sb.toString(); > catch (java.security.NoSuchAlgorithmException e) < >return null; > on the site below, I take no credit for it, but its a solution that works! For me lots of other code didnt work properly, I ended up missing 0s in the hash. This one seems to be the same as PHP has. source: http://m2tec.be/blog/2010/02/03/java-md5-hex-0093
You should specify the encoding to be used in getBytes() , otherwise your code will get different results on different platforms/user settings.
@PaŭloEbermann does MessageDigest.getInstance(«MD5»); not enough? I tried to add «MD5» in getBytes() but it returned an error
@BlazeTama «MD5» is not an encoding, it is a message digest algorithm (and not one which should be used in new applications). An encoding is an algorithm pair which transforms bytes to strings and strings to bytes. An example would be «UTF-8», «US-ASCII», «ISO-8859-1», «UTF-16BE», and similar. Use the same encoding as every other party which calculates a hash of this string, otherwise you’ll get different results.
For an example of the character set. (use UTF-8, that is the best and most compatible in my opinion). byte[] array = md.digest(md5.getBytes(Charset.forName(«UTF-8»)));
Since its not my solution, and I didnt test all scenarios myself, I will leave it unchanged, although I think specifiying encoding etc is probably a good idea.
final MessageDigest messageDigest = MessageDigest.getInstance("MD5"); messageDigest.reset(); messageDigest.update(string.getBytes(Charset.forName("UTF8"))); final byte[] resultByte = messageDigest.digest(); final String result = new String(Hex.encodeHex(resultByte)); where Hex is: org.apache.commons.codec.binary.Hex from the Apache Commons project.
I’ve found this to be the most clear and concise way to do it:
MessageDigest md5 = MessageDigest.getInstance("MD5"); md5.update(StandardCharsets.UTF_8.encode(string)); return String.format("%032x", new BigInteger(1, md5.digest())); Beware this won’t work for Android if you’re using API level < 19, but you just need to change the second line with md5.update(string.getBytes("UTF-8")); This will add yet another checked exception to handle, though.
I just downloaded commons-codec.jar and got perfect php like md5. Here is manual.
Just import it to your project and use
String Url = "your_url"; System.out.println( DigestUtils.md5Hex( Url ) ); This is the method that provides the same return value as the MySQL function md5(str). A lot of the other answers did return other values.
This doesn’t work right on Android because Android bundles commons-codec 1.2, for which you need this workaround: stackoverflow.com/a/9284092/2413303
No need to make it too complicated.
DigestUtils works fine and makes you comfortable while working with md5 hashes.
Either you can use any other encryption methods such as sha or md .
Found this solution which is much cleaner in terms of getting a String representation back from an MD5 hash.
import java.security.*; import java.math.*; public class MD5 < public static void main(String args[]) throws Exception< String s="This is a test"; MessageDigest m=MessageDigest.getInstance("MD5"); m.update(s.getBytes(),0,s.length()); System.out.println("MD5: "+new BigInteger(1,m.digest()).toString(16)); >> The code was extracted from here.
I just found out that in some cases this only generates 31 characters long MD5 sum, not 32 as it should be
@kovica this is because, the starting zeros get truncated if I remember right.. String.format(«%032x», new BigInteger(1, hash)); This should solve this. ‘hash’ is the byte[] of the hash.
import javax.xml.bind.DatatypeConverter; String hash = DatatypeConverter.printHexBinary( MessageDigest.getInstance("MD5").digest("SOMESTRING".getBytes("UTF-8"))); Unless I’m mistaken this returns always in uppercase which will not align with md5’s made without using hex. Not even really sure it is a true md5
Another option is to use the Guava Hashing methods:
Hasher hasher = Hashing.md5().newHasher(); hasher.putString("my string"); byte[] md5 = hasher.hash().asBytes(); Handy if you are already using Guava (which if you’re not, you probably should be).
@KurtAlfredKluever don’t forget to insert the charset like ‘Hashing.md5().hashString(«my string», Charsets.UTF_8).asBytes()’
I have a Class (Hash) to convert plain text in hash in formats: md5 or sha1, simillar that php functions (md5, sha1):
public class Hash < /** * * @param txt, text in plain format * @param hashType MD5 OR SHA1 * @return hash in hashType */ public static String getHash(String txt, String hashType) < try < java.security.MessageDigest md = java.security.MessageDigest.getInstance(hashType); byte[] array = md.digest(txt.getBytes()); StringBuffer sb = new StringBuffer(); for (int i = 0; i < array.length; ++i) < sb.append(Integer.toHexString((array[i] & 0xFF) | 0x100).substring(1,3)); >return sb.toString(); > catch (java.security.NoSuchAlgorithmException e) < //error action >return null; > public static String md5(String txt) < return Hash.getHash(txt, "MD5"); >public static String sha1(String txt) < return Hash.getHash(txt, "SHA1"); >> Testing with JUnit and PHP
PHP Script:
Output PHP script:
MD5 :b10a8db164e0754105b7a99be72e3fe5 SHA1:0a4d55a8d778e5022fab701977c5d840bbc486d0 Using example and Testing with JUnit:
Code in GitHub
My not very revealing answer:
private String md5(String s) < try < MessageDigest m = MessageDigest.getInstance("MD5"); m.update(s.getBytes(), 0, s.length()); BigInteger i = new BigInteger(1,m.digest()); return String.format("%1$032x", i); >catch (NoSuchAlgorithmException e) < e.printStackTrace(); >return null; > There is a DigestUtils class in Spring also:
This class contains the method md5DigestAsHex() that does the job.
BTW: The performance of this is much better then using BigInteger to create the hex string representation.
You can try following. See details and download codes here: http://jkssweetlife.com/java-hashgenerator-md5-sha-1/
import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; public class MD5Example < public static void main(String[] args) throws Exception < final String inputString = "Hello MD5"; System.out.println("MD5 hex for '" + inputString + "' :"); System.out.println(getMD5Hex(inputString)); >public static String getMD5Hex(final String inputString) throws NoSuchAlgorithmException < MessageDigest md = MessageDigest.getInstance("MD5"); md.update(inputString.getBytes()); byte[] digest = md.digest(); return convertByteToHex(digest); >private static String convertByteToHex(byte[] byteData) < StringBuilder sb = new StringBuilder(); for (int i = 0; i < byteData.length; i++) < sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16).substring(1)); >return sb.toString(); > > Bombe’s answer is correct, however note that unless you absolutely must use MD5 (e.g. forced on you for interoperability), a better choice is SHA1 as MD5 has weaknesses for long term use.
I should add that SHA1 also has theoretical vulnerabilities, but not as severe. The current state of the art in hashing is that there are a number of candidate replacement hash functions but none have yet emerged as the standard best practice to replace SHA1. So, depending on your needs you would be well advised to make your hash algorithm configurable so it can be replaced in future.
Probably the best you can do at the moment is use SHA1 and be ready to replace it in future. You could use newer functions but they have not yet been subject to great amounts of research. You could track online security resources to find out when this changes — for example Bruce Schneier’s blog.
SHA1 is overkill unless you want a cryptographically secure hash, i.e. you don’t want the hash to help in reconstructing the original message, nor do you want a clever attacker to create another message which matches the hash. If the original isn’t a secret and the hash isn’t being used for security, MD5 is fast and easy. For example, Google Web Toolkit uses MD5 hashes in JavaScript URLs (e.g. foo.js?hash=12345).
String hash = MD5.asHex(MD5.getHash(new File(filename))); I found it very useful. It took 15357 ms for a 4.57GB file whereas java inbuilt implementation took 19094 ms.
I do not know if this is relevant for anyone reading this, but I just had the problem that I wanted to
- download a file from a given URL and
- compare its MD5 to a known value.
I wanted to do it with JRE classes only (no Apache Commons or similar). A quick web search did not show me sample code snippets doing both at the same time, only each task separately. Because this requires to read the same file twice, I figured it might be worth the while to write some code which unifies both tasks, calculating the checksum on the fly while downloading the file. This is my result (sorry if it is not perfect Java, but I guess you get the idea anyway):
import java.io.FileOutputStream; import java.io.IOException; import java.math.BigInteger; import java.net.URL; import java.nio.ByteBuffer; import java.nio.channels.Channels; import java.nio.channels.ReadableByteChannel; import java.nio.channels.WritableByteChannel; import java.security.DigestOutputStream; // new import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; void downloadFile(String fromURL, String toFile, BigInteger md5) throws IOException, NoSuchAlgorithmException < ReadableByteChannel in = Channels.newChannel(new URL(fromURL).openStream()); MessageDigest md5Digest = MessageDigest.getInstance("MD5"); WritableByteChannel out = Channels.newChannel( //new FileOutputStream(toFile)); // old new DigestOutputStream(new FileOutputStream(toFile), md5Digest)); // new ByteBuffer buffer = ByteBuffer.allocate(1024 * 1024); // 1 MB while (in.read(buffer) != -1) < buffer.flip(); //md5Digest.update(buffer.asReadOnlyBuffer()); // old out.write(buffer); buffer.clear(); >BigInteger md5Actual = new BigInteger(1, md5Digest.digest()); if (! md5Actual.equals(md5)) throw new RuntimeException( "MD5 mismatch for file " + toFile + ": expected " + md5.toString(16) + ", got " + md5Actual.toString(16) ); >