How to use B-Crypt with EncodingHashBean

[heruan]

I'm using Passay to validate passwords in a Spring application, which uses BCryptPasswordEncoder to encode passwords. I need to use Passay's DigestHistoryRule with a Cryptacular's EncodingHashBean for these passwords, but I do not know which DigestSpec to use.

Is this supported at all? If not, is it possible to add support for this?

[serac]

There is no Bouncy Castle Digest implementation for BCrypt and consequently no DigestSpec. I do think it would be straightforward to develop a new HashBean implementation that uses the BCrypt component of Bouncy Castle to do the hashing:

https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/BCrypt.java

If you have test vectors you can share, that would be very helpful; in particular, input passwords and expected hex digests. The test coverage is at least 2x more effort than the code itself, and the test data is at least half of that.

[serac]

If we get test data in the next few days, I'm optimistic this could make the upcoming 1.1.0 release.

[heruan]

Thank you @serac for the quick response! Here's a list of 100 passwords with their B-Crypt hash (Base64): https://gist.github.com/heruan/dfbed28cf6ef3af6382697421c3ebe03

[serac]

Thanks. I started work on the feature but it's proving more difficult than I hoped due to the need for changes to our base-N encoding components to deal with the non-standard base-64 alphabet commonly used in bcrypt hashes. I'm still optimistic this feature will make our next release, just with more effort than initially planned.

[serac]

@heruan I wouldn't mind if you checked out the branch and reviewed it for your needs. After I got into the details of bcrypt, which I was unfamiliar with, I felt that it had a set of fairly narrow use cases and I stuck to those in the implementation. Thus BCryptHashBean is less flexible than the existing HashBean components, but hopefully more convenient for what most folks would need. I would appreciate confirmation that my assumption is correct.