Re: Pbkdf2PasswordHashImpl generate() creates sometimes invalid result


Will Hopkins
 

This should not be happening. I'm using the "Basic" encoder (Base64.getEncoder()), which, per the Base64 Javadoc, should not be inserting any line feed/line separator characters.

https://docs.oracle.com/javase/8/docs/api/java/util/Base64.html

Will

On 07/27/2017 06:31 AM, Rudy De Busscher wrote:
During the tests I was writing for Pbkdf2PasswordHashImpl, I saw that Pbkdf2PasswordHashImpl#generate() generates a result with line breaks in it.

PBKDF2WithHmacSHA512:1024:QRyYndGzgjmZ7DT51fQ4orSJp5b1IkEaY7qFp9o0Q8ZW4GuR7A7sOQN80Dtrqh1stXjK/VSj5+TY\nZClDbdM/wQ==:VNDmODrwU/geTRbtYaQXOrraPh1XP38qM1rRJtLts0OVLjpCq8Q5OYMdxR5whK7JgJpWQqMh1zIh\nYoTLatrXWA==

(the above example is when using a longer salt and longer key size, both 64)

This is due to the fact that the Base64 algorithm adds line breaks after every 76 character.

But these line breaks makes the Base64 invalid when we call the verify() method with this kind of values.

My proposal is to remove them (the line breaks)  during generation of the hash (generate() method) and also clean them out before base64 decoding (decode() method)

Rudy


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Join javaee-security-spec@javaee.groups.io to automatically receive all group messages.