golang.org/x/crypto/bcrypt [1] does not provide an official API to verify that the hash format is good one. The current sources indicates [2] that one can use bcrypt.Cost() as that parses and verifies the whole hash string. But the documentation does not reflect that a successful return from the function indicates a valid hash. Also the documentation implies that bcrypt.ErrHashTooShort can only be returned from CompareHashAndPassword when the Cost function can also return it.
It would be nice to have an explicit API to check hash format and perhaps check that it was created by older version so a password change can be scheduled in such case.
zhoub
commented
1 year ago
golang.org/x/crypto/bcrypt [1] does not provide an official API to verify that the hash format is good one. The current sources indicates [2] that one can use bcrypt.Cost() as that parses and verifies the whole hash string. But the documentation does not reflect that a successful return from the function indicates a valid hash. Also the documentation implies that bcrypt.ErrHashTooShort can only be returned from CompareHashAndPassword when the Cost function can also return it.
It would be nice to have an explicit API to check hash format and perhaps check that it was created by older version so a password change can be scheduled in such case.
[1] - https://godoc.org/golang.org/x/crypto/bcrypt [2] - https://github.com/golang/crypto/blob/6c586e17d90a7d08bbbc4069984180dce3b04117/bcrypt/bcrypt.go#L118