Java教程

PHP和Java在bcrypt加密算法实现上的差异

本文主要是介绍PHP和Java在bcrypt加密算法实现上的差异,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

背景:

PHP的bcrypt默认采用的是CRYPT_BLOWFISH加密算法,使用的salt是$2y$,而Java使用的salt是$2a$,当使用Java对由PHP的bcrypt加密的密文进行校验时,会因为salt的这个差异导致Java出现下面的错误:

Encoded password does not look like BCrypt

从官方文档对CRYPT_BLOWFISH的说明里,可以证实:

  • CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string. The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithm and must be in range 04-31, values outside this range will cause crypt() to fail. "$2x$" hashes are potentially weak; "$2a$" hashes are compatible and mitigate this weakness. For new hashes, "$2y$" should be used. Please refer to » this document for full details of the related security fix.

解决办法,分为两种:

第一种,也是最简单的,在密文校验前,先将密文的$2y$替换为$2a$

第二种,重写spring boot的BCryptPasswordEncoder.java,之所以会出现上述错误,主要是下面这个方法:

    public boolean matches(CharSequence rawPassword, String encodedPassword) {
        if (encodedPassword == null || encodedPassword.length() == 0) {
            logger.warn("Empty encoded password");
            return false;
        }

        if (!BCRYPT_PATTERN.matcher(encodedPassword).matches()) {
            logger.warn("Encoded password does not look like BCrypt");
            return false;
        }

        return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
    }

 

 

参考资料:

https://www.php.net/manual/en/function.crypt.php

这篇关于PHP和Java在bcrypt加密算法实现上的差异的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!