Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to use B-Crypt with EncodingHashBean #39

Closed
heruan opened this issue Mar 24, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@heruan
Copy link

commented Mar 24, 2018

I'm using Passay to validate passwords in a Spring application, which uses BCryptPasswordEncoder to encode passwords. I need to use Passay's DigestHistoryRule with a Cryptacular's EncodingHashBean for these passwords, but I do not know which DigestSpec to use.

Is this supported at all? If not, is it possible to add support for this?

@serac

This comment has been minimized.

Copy link
Member

commented Mar 24, 2018

There is no Bouncy Castle Digest implementation for BCrypt and consequently no DigestSpec. I do think it would be straightforward to develop a new HashBean implementation that uses the BCrypt component of Bouncy Castle to do the hashing:

https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/BCrypt.java

If you have test vectors you can share, that would be very helpful; in particular, input passwords and expected hex digests. The test coverage is at least 2x more effort than the code itself, and the test data is at least half of that.

@serac serac added the enhancement label Mar 24, 2018

@serac serac added this to the 1.1.0 milestone Mar 24, 2018

@serac

This comment has been minimized.

Copy link
Member

commented Mar 24, 2018

If we get test data in the next few days, I'm optimistic this could make the upcoming 1.1.0 release.

@heruan

This comment has been minimized.

Copy link
Author

commented Mar 24, 2018

Thank you @serac for the quick response! Here's a list of 100 passwords with their B-Crypt hash (Base64): https://gist.github.com/heruan/dfbed28cf6ef3af6382697421c3ebe03

@serac

This comment has been minimized.

Copy link
Member

commented Mar 30, 2018

Thanks. I started work on the feature but it's proving more difficult than I hoped due to the need for changes to our base-N encoding components to deal with the non-standard base-64 alphabet commonly used in bcrypt hashes. I'm still optimistic this feature will make our next release, just with more effort than initially planned.

@serac

This comment has been minimized.

Copy link
Member

commented Apr 18, 2018

@heruan I wouldn't mind if you checked out the branch and reviewed it for your needs. After I got into the details of bcrypt, which I was unfamiliar with, I felt that it had a set of fairly narrow use cases and I stuck to those in the implementation. Thus BCryptHashBean is less flexible than the existing HashBean components, but hopefully more convenient for what most folks would need. I would appreciate confirmation that my assumption is correct.

@dfish3r dfish3r closed this in #42 Apr 19, 2018

dfish3r added a commit that referenced this issue Apr 19, 2018

Merge master changes.
Includes fixes for issues #37, #39, and #40.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.