There are times when you want to use a string such as password hashed with BCryptPasswordEncoder in Spring Security from Perl for authentication, right?
No, I don't know.
There was such an event.
$2a$10$Cc6/UiniMuKkyVsVM.FUt.rmgDm0UOQxuhuGSSuL/LzZUGrNeGvxq
Such a value was saved. It seems to be the work of Spring Security. What kind of value is this unfamiliar hash value?
When I was addicted to the situation, I googled variously, but no information came out.
JscxAX:5[4Q]NYoK
A certain login user "This is my password, is it correct?" I asked me in Perl.
Well, verification of that strange character string and this password that Spring Security has hashed and stored earlier? I don't know about Perl, right?
It's surprisingly easy
use strict;
use warnings;
use utf8;
use feature qw(say);
use Crypt::Eksblowfish::Bcrypt qw(bcrypt);
my $raw_password = 'JscxAX:5[4Q]NYoK';
my $hashed_password = '$2a$10$Cc6/UiniMuKkyVsVM.FUt.rmgDm0UOQxuhuGSSuL/LzZUGrNeGvxq';
my $salt = substr($hashed_password, 0, 29); # "$2a$10$" +22 characters
my $check = bcrypt($raw_password, $salt);
if ($check eq $hashed_password) {
say "ATTERUYO!";
}
else {
say "ATTENAIYO!";
}
ATTERUYO!
Was good. There was.
… Eh, does this come out with ATTERUYO! Every time?
my $raw_password = 'JscxAX:4[5Q]NYoK';
Only one line changed to a slightly wrong feeling.
ATTENAIYO!
Was good. I can judge the mistake properly.
Spring Security "From Perl, change the password and create a function to save it." You say.
Yeah, you use that value for validation, right? Do I have to make it a format that you can handle ...?
… Of course, you have to do that.
Don't say that you can do it in Java, you can't do it in Perl, or you can't put it upwind of a camel.
use strict;
use warnings;
use utf8;
use feature qw(say);
use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64);
use Crypt::Random qw(makerandom_octet);
sub gen_salt {
return en_base64(makerandom_octet(Length => 16));
}
my $raw_password = 'Z86J9_Kr_sDcw#o4'; #new password
my $salt = '$2a$10$' . gen_salt();
my $hashed_password = bcrypt($raw_password, $salt);
say $hashed_password;
$2a$10$/IwrxT05tg1ZlmUrV.7eAOsowJsbkVHs6ku54FC0VHBew23HOm61W
I could do something like that
Z86J9_Kr_sDcw#o4
Password is given by the above Perl code
$2a$10$/IwrxT05tg1ZlmUrV.7eAOsowJsbkVHs6ku54FC0VHBew23HOm61W
It has been converted into a character string like that and saved in the DB.
Is it really possible to verify this hash correctly with Java (Spring Security) ...?
Indeed, I verified it with a fairly appropriate code that has a strong feeling of being written by a person who does not usually write Java.
package com.example.demo;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
public class DemoApplication {
public static void main(String[] args) {
String rawPassword = "Z86Jq_Kr_sDcw#o4";
String hashedPassword = "$2a$10$/IwrxT05tg1ZlmUrV.7eAOsowJsbkVHs6ku54FC0VHBew23HOm61W";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
if (passwordEncoder.matches(rawPassword, hashedPassword)) {
System.out.println("ATTERUYO!");
}
else {
System.out.println("ATTENAIYO!");
}
}
}
ATTERUYO!
I'm glad I was able to do it properly.
… Eh, does this come out with ATTERUYO! Every time?
String rawPassword = "Z86Jq_Kr_sDcw#o4";
Only one line changed to a slightly wrong feeling.
ATTENAIYO!
Was good. I can judge the mistake properly.
There are SCryptPasswordEncoder and Pbkdf2PasswordEncoder, but at this point it's not an issue in my environment, so someday someone should put it together.
Recommended Posts