0

been breaking my head for the past day,

given a token and salt, I need to generated a hashed token that matches the one produce by Spring's MessageDigestPasswordEncoder.encodePassword:

https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java

I have tried everything available in CommonCrypto, 10 different ways, no luck.

The Java code:

public static void main(String[] args) {

    String token = "a token";
    String secret = "a salt";
    String sha = "SHA-256"; 
    String proposedMatch = "";

    MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder(sha);

    String encryptedToken = encoder.encodePassword(token, secret);

    System.out.println("Encrypted Token: " + encryptedToken);

    isMatch = encoder.isPasswordValid(encryptedToken, token, secret);
    System.out.println("Is the actual encrypted token valid? " + isMatch);

}

is there any c/c++ library I could use to match the output? (i dont have that bit above so I can run it, i've been given a token, a salt i cant share ~for obvious reasons~ and an expected output)

David Homes
  • 2,725
  • 8
  • 33
  • 53
  • 1
    The key is what `mergePasswordAndSalt` does, it is not specified in the API docs so it is mysterious. Thus the result is mysterious. Better to use a well-known standard password derivation function such as [`PBKDF2`](https://en.wikipedia.org/wiki/PBKDF2). Locking yourself into `MessageDigestPasswordEncoder` may create interoperability issues as seen here. – zaph May 18 '16 at 17:02
  • zaph, many many thanks! yeah i could not find what the mergePasswordAndSalt exactly does (certainly not a concatenation, already tested) – David Homes May 18 '16 at 17:49

0 Answers0