Hashing a string, and then verifying a string if it equals to said hash-CodePudding

So I'm essentially looking to password protect my batch script in a more secure way where I don't store the password within the batch file. The best idea in mind for me is to simply hash the password under SHA256, and then have the batch file let me provide the preimage to the hash. So essentially the hash is being stored in the batch file code but not the genuine password itself.

How can I do this?

Synopsis

I need a way that I can hash a string under SHA256
Then input that hash into the batch file and require an input value that will be checked to see if equal to specified hash.

I can't seem to find any kind of native command to make my batch script check for a specified hash

set value==certutil -hashstring blablabla SHA256`
if %value%== 492F3F38D6B5D3CA859514E250E25BA65935BCDD9F4F40C124B773FE536FEE7D echo this is the valid hash preimage, authenticated!

Thats an example of what im going for. Specifics- Windows 10. Powershell

CodePudding user response：

Certutil can hash only files so you need to write the string you want into a file. You can use sha256.bat that utilizes certutil:

(echo(blabla)>#
call sha256 # value
del /q /f # >nul 2>nul
echo %value%

check also this

CodePudding user response：

@ECHO OFF
SETLOCAL

set /p "userinput=Batch Hash ? "
FOR /f %%h IN ('certutil -hashfile "%~f0" sha256 ^|find /v ":"') DO SET "hash=%%h"
    
ECHO hash=%hash%
if "%userinput%"=="%hash%" (echo match) else (echo miss)

GOTO :EOF

Nothing complicated. "%~f0" is the full filename of the batch, pass this through an escaped-pipe to find which eliminates lines containing : from the certutil response and assigns the result to %%h, thence to hash