search

vt-middleware / cryptacular

The friendly complement to the BouncyCastle crypto API for Java.
Other
39 stars 7 forks source link

How to use B-Crypt with EncodingHashBean #39

Closed heruan closed 6 years ago

heruan commented 6 years ago

I'm using Passay to validate passwords in a Spring application, which uses BCryptPasswordEncoder to encode passwords. I need to use Passay's DigestHistoryRule with a Cryptacular's EncodingHashBean for these passwords, but I do not know which DigestSpec to use.

Is this supported at all? If not, is it possible to add support for this?

serac commented 6 years ago

There is no Bouncy Castle Digest implementation for BCrypt and consequently no DigestSpec. I do think it would be straightforward to develop a new HashBean implementation that uses the BCrypt component of Bouncy Castle to do the hashing:

https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/BCrypt.java

If you have test vectors you can share, that would be very helpful; in particular, input passwords and expected hex digests. The test coverage is at least 2x more effort than the code itself, and the test data is at least half of that.

serac commented 6 years ago

If we get test data in the next few days, I'm optimistic this could make the upcoming 1.1.0 release.

heruan commented 6 years ago

Thank you @serac for the quick response! Here's a list of 100 passwords with their B-Crypt hash (Base64): https://gist.github.com/heruan/dfbed28cf6ef3af6382697421c3ebe03

serac commented 6 years ago

Thanks. I started work on the feature but it's proving more difficult than I hoped due to the need for changes to our base-N encoding components to deal with the non-standard base-64 alphabet commonly used in bcrypt hashes. I'm still optimistic this feature will make our next release, just with more effort than initially planned.

serac commented 6 years ago

@heruan I wouldn't mind if you checked out the branch and reviewed it for your needs. After I got into the details of bcrypt, which I was unfamiliar with, I felt that it had a set of fairly narrow use cases and I stuck to those in the implementation. Thus BCryptHashBean is less flexible than the existing HashBean components, but hopefully more convenient for what most folks would need. I would appreciate confirmation that my assumption is correct.