上下文
我正在处理使用更新的 bcrypt 算法的 PHP 系统(因为底层算法中存在一个已知的漏洞)。
所以 PHP 的 password_hash函数现在生成以 $2y$ 为前缀的哈希值,因为旧的哈希值(以 $2a 为前缀)很容易受到攻击。
Spring Security 的 BCrypt我在另一个 Java 系统中使用的生成原始 $2a$ 格式哈希值,因为它的底层实现(jBCrypt 而不是 C BCrypt as mentioned in this SO post )不容易受到相同的攻击。</p >
问题
在 Spring Security 中检查 PHP 生成的哈希值不起作用。有没有办法使用 Spring Security 检查 PHP 生成的哈希值?
示例
php > $pwd = password_hash('foo', PASSWORD_BCRYPT, ['cost' => 12]);
php > echo $pwd;
$2y$12$TRc5ZjcmDJ8oFaoR1g7LD.RCxBTUZnGXB66EN9h9rKtNWg.hd7ExK
然后使用 Java + Spring Security:
@Test
public void decryptsPhpHash() {
boolean result = BCrypt.checkpw("foo", "$2y$12$TRc5ZjcmDJ8oFaoR1g7LD.RCxBTUZnGXB66EN9h9rKtNWg.hd7ExK");
assertThat(result).isTrue();
}
抛出以下错误:
java.lang.IllegalArgumentException:无效的盐修订
最佳答案
据我所知,PHP只是将字符a改为y来区分它本身。只有 PHP 更改了此前缀。因此,也许只需将 y 改回 a 即可解决此问题。
In June 2011, a bug was discovered in crypt_blowfish, a PHP implementation of BCrypt. It was mis-handling characters with the 8th bit set. They suggested that system administrators update their existing password database, replacing $2a$ with $2x$, to indicate that those hashes are bad (and need to use the old broken algorithm). They also suggested the idea of having crypt_blowfish emit $2y$ for hashes generated by the fixed algorithm. Nobody else, including canonical OpenBSD, adopted the idea of 2x/2y. This version marker change was limited to crypt_blowfish. https://en.wikipedia.org/wiki/Bcrypt
关于java - 有没有办法使用 Spring Security 检查 PHP 创建的 bcrypt 哈希值?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53083542/