问题
I have a question regarding the hashing of password. I am using this on the webpage:
$pw = password_hash($_POST[password], PASSWORD_BCRYPT);
After that I store this result in the database. With my Java Web Service I want to verify the password. For that I am using this method:
if (BCrypt.checkpw(password, dbPwd)){
return Response.ok("ok").build();
}
dbPwd is the one I stored and password is the password in plain text from the first method. Unfortunately I am receiving this error code:
javax.servlet.ServletException: java.lang.IllegalArgumentException: Invalid salt revision
Update
I found in the internet, that there is a "bug" the Java method is using the 2y and the jBcrypt is using 2a. I tried it with 2a and it works, but how can I fix this/ make it work?
回答1:
After a lot of digging I found a newer implementation of the jBcrypt library: https://github.com/patrickfav/bcrypt
I use Scala but the concepts are essentially the same and to verify a $2y$ hash I've created a small utility function:
import at.favre.lib._
/**
* Verifies an encrypted password against the expected value
*
* @link https://github.com/patrickfav/bcrypt
* @param hash The hashed password (encypted with BCrypt version $2Y$)
* @param password The unencrypted password string
*/
private def verifyBcryptHash(hash: String, password: String): Boolean = {
if (hash == null || hash.trim.isEmpty)
false
else
BCrypt
.verifyer()
.verifyStrict(
password.toCharArray(),
hash.toCharArray(),
BCrypt.Version.VERSION_2Y
)
.verified
}
来源:https://stackoverflow.com/questions/46308900/hash-password-in-php-and-verify-with-java-password-bcrypt-jbcrypt