0

I need to port a passlib (pbkdf2-sha512 to be specific) digest to another system (Auth0) and need to convert it to PHC string format using a B64 encoded salt (regular base64 without padding characters).

Passlib encodes to a shortened base64 format using it's own 'adapted base64 encoding' method. I basically need to convert that to the B64 format to include in my import file for Auth0.

The pbkdf2-sha512 documentation explains the output format as:

$pbkdf2-digest$rounds$salt$checksum

My complete pbkdf2-sha512 hash of my password 'Password!' looks like this:

$pbkdf2-sha512$25000$8d7bW2stZaw1BoBQyhkjZA$Dszct0GGjjfikK3cJhx.4M.YdOoytY9T5qaib9y8C/gvC1rE4iCWT970bN/MJD81RVToY.855KWRsGoPudA0HA

A simple script to output the passlib hash:

from passlib.hash import pbkdf2_sha512
print(pbkdf2_sha512.hash("Password!"))

From the Passlib documentation, I assume the following:

Key size: 16k (128 bits) - this is the default (not specified anywhere in the output) 
Digest type: pbkdf2-sha512 
Rounds: 25000  
Salt: 8d7bW2stZaw1BoBQyhkjZA
Digest / Hash data: Dszct0GGjjfikK3cJhx.4M.YdOoytY9T5qaib9y8C/gvC1rE4iCWT970bN/MJD81RVToY.855KWRsGoPudA0HA

What I'm struggling to do is convert the salt and digest to the B64 format required by Auth0. Any help is appreciated!

R2Bleep2
  • 77
  • 1
  • 7

1 Answers1

1

OK, I think I've figured it out... My understanding is that passlib's format simply replaces + with . and strips the padding and white space, so for my needs (vanilla B64 without whitespace or padding), I merely need to replace . with + and I have the correct format.

In my testing I also noticed that key length is 512 bytes (64k) not 128/16 as I originally thought.

I confirmed it using this tool: https://8gwifi.org/pbkdf.jsp (Note that padding is added to the salt to make it 24 characters long)

For anyone wanting a bit of background on the Passlib base 64 flavor, see this post on Google groups.

R2Bleep2
  • 77
  • 1
  • 7