2

I am trying to save the user password using Bcrypt algorithm in Oracle 11g. I know this can be done in Java easily, but in this case i want to do this in DB side. Can any one help me in achieving this.

Currently i am using SHA256, which is done through Java stored procedure as 11g supports till SHA1 only.. :(

CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED SHA256 AS 
import java.security.MessageDigest;
import oracle.sql.*;

public class SHA256
{
  public static oracle.sql.RAW get_digest( String p_string ) throws Exception
  {
   MessageDigest v_md = MessageDigest.getInstance( "SHA-256" );
   byte[] v_digest;
   v_digest = v_md.digest( p_string.getBytes( "UTF-8" ) );
   return RAW.newRAW(v_digest);
}   
}

CREATE OR REPLACE FUNCTION SHA256_ENCRYPT(p_string VARCHAR2)
RETURN RAW
AS
LANGUAGE JAVA
NAME 'SHA256.get_digest( java.lang.String ) return oracle.sql.RAW';

For those who are interested, final working copy of Bcrypt in Oracle11g!

Manoj
  • 41
  • 2
  • 6
  • I think you're right about not wanting to encrypt passwords using SHA - perhaps start from here: http://stackoverflow.com/a/11087219/103295 – Jeffrey Kemp Apr 30 '14 at 07:20
  • Hello **Jeffrey**, but i have already gone through the link, and if i am correct the solutions are referring to dbms_crypto. Unfortunately Oracle 11g supports until SHA1 only, that's why i am trying to do it in Java SP model - BCrypt. – Manoj Apr 30 '14 at 12:10
  • Yeah it wasn't a complete solution to your problem. That was the closest I could find - i.e. basically your best bet right now would be to use an established (trusted) Java implementation and wrap it in a PL/SQL function (just as you've done with your SHA256 implementation). I'd be wary of trying to knock up a simple implementation in PL/SQL except just for play/test purposes. – Jeffrey Kemp Apr 30 '14 at 12:13
  • That is correct indeed. Well, let me try to use an existing Java implementation and build a PL/SQL function. Will get back with the results. In the mean time if someone have done this already, please do reply. – Manoj Apr 30 '14 at 13:47
  • I did manage to implement BCrypt using Java Stored Procedure. But is it safe to use Java Stored Procedures, or in other words is it a standard practice. – Manoj May 06 '14 at 09:56
  • It's common practice when something isn't available in native PL/SQL. Its safety really depends on how well it's been implemented on the Java side. – Jeffrey Kemp May 06 '14 at 09:57

1 Answers1

0

We faced the same problem.
At last we implemented the BCrypt algorithm inside Oracle with a native Java function.
I published the source code on github

Dharman
  • 30,962
  • 25
  • 85
  • 135
Mohsen Heydari
  • 7,256
  • 4
  • 31
  • 46