[enhancement] Bcrypt.Verifyer.verify(char[] password, byte[] bcryptHash)

patrickfav / bcrypt

A Java standalone implementation of the bcrypt password hash function. Based on the Blowfish cipher it is the default password hash algorithm for OpenBSD and other systems including some Linux distributions. Includes a CLI Tool.

https://favr.dev/opensource/bcrypt

Apache License 2.0

467 stars 50 forks source link

[enhancement] Bcrypt.Verifyer.verify(char[] password, byte[] bcryptHash) #16

Closed Andrew-Cottrell closed 5 years ago

Andrew-Cottrell commented 5 years ago

While converting some existing code to the bcrypt API, I ran in to a (very) minor pain-point.

When working with some APIs it is natural for the password to be a char[] (e.g. passed to javax.crypto.spec.PBEKeySpec ctor) and the bcryptHash to be a byte[] (e.g. read fully from a java.io.DataInputStream).

This is probably an advanced use-case, but it would be nice to have Bcrypt.Verifyer.verify(char[] password, byte[] bcryptHash).

patrickfav commented 5 years ago

Is added. Downside is, that this can be a bit confusing as it expects the byte representation of a chars representing a base64 string.

Andrew-Cottrell commented 5 years ago

I have run a quick test and the new method works exactly as I would expect.

public static void main(final String[] args) {
    final char[] password = "password".toCharArray();
    final byte[] bcryptHash = "$2a$12$Kuy09vX7/OoqoDBcKFvbluzt0/kj.PYAYFyyuXyW0kA/sCgk6wKCW".getBytes(StandardCharsets.UTF_8);
    final Result result = BCrypt.verifyer().verify(password, bcryptHash);
    System.out.println(result);
}

Output (formatted):

Result {
    details = HashData {
        cost = 12,
        version = $2a$,
        rawSalt = 330d36ff167d050aaca850de307c5d9f,
        rawHash = d6fd819a5011682687d34c19d18da6081b848a6f323046
    },
    validFormat = true,
    verified = true,
    formatErrorMessage = 'null'
}

It's perfect for my use-case. Thank you.