0

I'm trying to write a service to handle user password hashing and verification. I'm using Wildfly Elytron libraries and using the service in the context of a quarkus web service. The issue I am coming across is that when I try to verify the password, the verify method throws a java.security.InvalidKeyException, with a null message. I've been using the library's unit tests (javatips.net) to base my implementation on, and as far as I can tell I have things implemented correctly. As the exception literally has no message it's hard to know what is wrong, and googling doesn't yeild much. Any ideas?

    public PasswordService(
            PasswordValidator passwordValidator //my own password strength validator
    ){
        this.passwordValidator = passwordValidator;
        WildFlyElytronPasswordProvider provider = WildFlyElytronPasswordProvider.getInstance();

        try {
            this.passwordFactory = PasswordFactory.getInstance(ALGORITHM, provider);
        } catch (NoSuchAlgorithmException e) {
            LOGGER.error("Somehow got an exception when setting up password factory. Error: ", e);
            throw new RuntimeException(e);
        }
    }


    public String createPasswordHash(String password) throws PasswordValidationException {
        this.passwordValidator.validateAndSanitize(password);

        IteratedSaltedPasswordAlgorithmSpec iteratedAlgorithmSpec = new IteratedSaltedPasswordAlgorithmSpec(ITERATIONS, getSalt());
        EncryptablePasswordSpec encryptableSpec = new EncryptablePasswordSpec(password.toCharArray(), iteratedAlgorithmSpec);

        try {
            BCryptPassword original = (BCryptPassword) passwordFactory.generatePassword(encryptableSpec);
            return ModularCrypt.encodeAsString(original);
        } catch (InvalidKeySpecException e) {
            LOGGER.error("Somehow got an invalid key spec. This should not happen. Error: ", e);
            throw new WebServerException(e);
        }
    }

    public boolean passwordMatchesHash(String encodedPass, String pass) throws CorruptedKeyException{
        BCryptPassword original = null;
        try {
            original = (BCryptPassword) ModularCrypt.decode(encodedPass);
        } catch (InvalidKeySpecException e) {
            LOGGER.error("Somehow got an invalid key spec. This should not happen. Error: ", e);
            throw new WebServerException(e);
        }
        try {
            return passwordFactory.verify(original, pass.toCharArray()); // throws the invalid key exception
        } catch (InvalidKeyException e) {
            LOGGER.error("Somehow got an invalid key. This probably shouldn't happen? Error: ", e);
            throw new WebServerException(e);
        }
    }
user207421
  • 305,947
  • 44
  • 307
  • 483
Snappawapa
  • 1,697
  • 3
  • 20
  • 42

1 Answers1

0

Figured it out. The original link I posted for the unit tests were out of date, and thus was slightly wrong.

Actual (up to date) tests

I was missing a wrapper for the decoding of the encoded hash:

original = (BCryptPassword) passwordFactory.translate(ModularCrypt.decode(encodedPass));

Snappawapa
  • 1,697
  • 3
  • 20
  • 42