#99: first migration to bytes operation

Password4j · Feb 17, 2023 · 89708af · 89708af
1 parent c9bcc24
commit 89708af
Show file tree

Hide file tree

Showing 9 changed files with 273 additions and 12 deletions.
diff --git a/src/main/java/com/password4j/AbstractHashingFunction.java b/src/main/java/com/password4j/AbstractHashingFunction.java
@@ -77,6 +77,25 @@ public Hash hash(CharSequence plainTextPassword, String salt, CharSequence peppe
         return result;
     }
 
+    @Override
+    public Hash hash(byte[] plainTextPassword, byte[] salt, CharSequence pepper)
+    {
+        byte[] pepperAsBytes = Utils.fromCharSequenceToBytes(pepper);
+        byte[] peppered = Utils.append(pepperAsBytes, plainTextPassword);
+        Hash result;
+        if (salt == null)
+        {
+            result = hash(peppered);
+        }
+        else
+        {
+            result = hash(peppered, salt);
+        }
+
+        result.setPepper(pepper);
+        return result;
+    }
+
     /**
      * Just calls {@link #check(CharSequence, String)} without salt
      * parameter.
@@ -96,6 +115,25 @@ public boolean check(CharSequence plainTextPassword, String hashed, String salt)
         return check(plainTextPassword, hashed);
     }
 
+    /**
+     * Just calls {@link #check(CharSequence, String)} without salt
+     * parameter.
+     * <p>
+     * Do not override this if the algorithm doesn't need a manually
+     * provided salt.
+     *
+     * @param plainTextPassword the plaintext password as bytes array
+     * @param hashed            the hash as bytes array
+     * @param salt              the salt as bytes array used to produce the hash
+     * @return true if the hash is generated from the plaintext; false otherwise
+     * @since 1.7.0
+     */
+    @Override
+    public boolean check(byte[] plainTextPassword, byte[] hashed, byte[] salt)
+    {
+        return check(plainTextPassword, hashed);
+    }
+
     /**
      * Just calls {@link #check(CharSequence, String, String)}, with a prepended pepper.
      *
@@ -111,4 +149,20 @@ public boolean check(CharSequence plainTextPassword, String hashed, String salt,
         return check(Utils.append(pepper, plainTextPassword), hashed, salt);
     }
 
+    /**
+     * Just calls {@link #check(CharSequence, String, String)}, with a prepended pepper.
+     *
+     * @param plainTextPassword the plaintext password
+     * @param hashed            the hash
+     * @param salt              the salt used to produce the hash
+     * @return true if the hash is generated from the plaintext; false otherwise
+     * @since 1.7.0
+     */
+    @Override
+    public boolean check(byte[] plainTextPassword, byte[] hashed, byte[] salt, CharSequence pepper)
+    {
+        byte[] pepperAsBytes = Utils.fromCharSequenceToBytes(pepper);
+        return check(Utils.append(pepperAsBytes, plainTextPassword), hashed, salt);
+    }
+
 }
diff --git a/src/main/java/com/password4j/Argon2Function.java b/src/main/java/com/password4j/Argon2Function.java
@@ -172,12 +172,20 @@ public Hash hash(CharSequence plainTextPassword)
         return internalHash(Utils.fromCharSequenceToBytes(plainTextPassword), salt, null);
     }
 
+    @Override
+    public Hash hash(byte[] plainTextPassword)
+    {
+        byte[] salt = SaltGenerator.generate();
+        return internalHash(plainTextPassword, salt, null);
+    }
+
     @Override
     public Hash hash(CharSequence plainTextPassword, String salt)
     {
         return hash(plainTextPassword, salt, null);
     }
 
+    @Override
     public Hash hash(byte[] plainTextPassword, byte[] salt)
     {
         return hash(plainTextPassword, salt, null);
@@ -189,6 +197,7 @@ public Hash hash(CharSequence plainTextPassword, String salt, CharSequence peppe
         return internalHash(Utils.fromCharSequenceToBytes(plainTextPassword), Utils.fromCharSequenceToBytes(salt), pepper);
     }
 
+    @Override
     public Hash hash(byte[] plainTextPassword, byte[] salt, CharSequence pepper)
     {
         return internalHash(plainTextPassword, salt, pepper);
@@ -213,8 +222,13 @@ private Hash internalHash(byte[] plainTextPassword, byte[] salt, CharSequence pe
     @Override
     public boolean check(CharSequence plainTextPassword, String hashed)
     {
-        Object[] params = decodeHash(hashed);
-        return check(plainTextPassword, hashed, Utils.fromBytesToString((byte[]) params[5]), null);
+        return check(plainTextPassword, hashed, null, null);
+    }
+
+    @Override
+    public boolean check(byte[] plainTextPassword, byte[] hashed)
+    {
+        return check(plainTextPassword, hashed, null, null);
     }
 
     @Override
@@ -226,6 +240,7 @@ public boolean check(CharSequence plainTextPassword, String hashed, String salt,
         return check(plainTextPasswordAsBytes, hashedAsBytes, saltAsBytes, pepper);
     }
 
+    @Override
     public boolean check(byte[] plainTextPassword, byte[] hashed, byte[] salt, CharSequence pepper)
     {
         byte[] theSalt;

diff --git a/src/main/java/com/password4j/BcryptFunction.java b/src/main/java/com/password4j/BcryptFunction.java
@@ -248,6 +248,7 @@ public Hash hash(CharSequence plainTextPassword)
         return hash(plainTextPassword, salt);
     }
 
+    @Override
     public Hash hash(byte[] plainTextPasswordAsBytes)
     {
         String salt = generateSalt();
@@ -260,6 +261,7 @@ public Hash hash(CharSequence plainTextPassword, String salt)
         return internalHash(plainTextPassword, salt);
     }
 
+    @Override
     public Hash hash(byte[] plainTextPassword, byte[] salt)
     {
         return internalHash(plainTextPassword, Utils.fromBytesToString(salt));
@@ -271,6 +273,7 @@ public boolean check(CharSequence plainTextPassword, String hashed)
         return check(Utils.fromCharSequenceToBytes(plainTextPassword), Utils.fromCharSequenceToBytes(hashed));
     }
 
+    @Override
     public boolean check(byte[] plainTextPassword, byte[] hashed)
     {
         return internalCheck(plainTextPassword, hashed);

diff --git a/src/main/java/com/password4j/HashBuilder.java b/src/main/java/com/password4j/HashBuilder.java
@@ -25,9 +25,9 @@
  */
 public class HashBuilder
 {
-    private CharSequence plainTextPassword;
+    private byte[] plainTextPassword;
 
-    protected String salt;
+    protected byte[] salt;
 
     protected CharSequence pepper;
 
@@ -43,7 +43,16 @@ private HashBuilder()
      */
     protected HashBuilder(CharSequence plainTextPassword)
     {
-        this.plainTextPassword = plainTextPassword;
+        this.plainTextPassword = Utils.fromCharSequenceToBytes(plainTextPassword);
+    }
+
+    /**
+     * @param plainTextPasswordAsBytes the plain text password as bytes array
+     * @since 1.7.0
+     */
+    protected HashBuilder(byte[] plainTextPasswordAsBytes)
+    {
+        this.plainTextPassword = plainTextPasswordAsBytes;
     }
 
     /**
@@ -56,7 +65,21 @@ protected HashBuilder(CharSequence plainTextPassword)
      */
     public HashBuilder addSalt(String salt)
     {
-        this.salt = salt;
+        this.salt = Utils.fromCharSequenceToBytes(salt);
+        return this;
+    }
+
+    /**
+     * Add a cryptographic salt in the hashing process.
+     * The salt is applied differently depending on the chosen algorithm.
+     *
+     * @param saltAsBytes cryptographic salt as bytes array
+     * @return this builder
+     * @since 1.7.0
+     */
+    public HashBuilder addSalt(byte[] saltAsBytes)
+    {
+        this.salt = saltAsBytes;
         return this;
     }
 
@@ -72,7 +95,7 @@ public HashBuilder addSalt(String salt)
      */
     public HashBuilder addRandomSalt()
     {
-        this.salt = Utils.fromBytesToString(SaltGenerator.generate());
+        this.salt = SaltGenerator.generate();
         return this;
     }
 
@@ -94,7 +117,7 @@ public HashBuilder addRandomSalt(int length)
         }
         else
         {
-            this.salt = Utils.fromBytesToString(SaltGenerator.generate(length));
+            this.salt = SaltGenerator.generate(length);
         }
         return this;
     }

diff --git a/src/main/java/com/password4j/HashChecker.java b/src/main/java/com/password4j/HashChecker.java
@@ -25,13 +25,14 @@
  */
 public class HashChecker
 {
-    protected String hashed;
+    private byte[] plainTextPassword;
 
-    protected String salt;
+    protected byte[] hashed;
+
+    protected byte[] salt;
 
     private CharSequence pepper;
 
-    private CharSequence plainTextPassword;
 
     @SuppressWarnings("unused")
     private HashChecker()
@@ -45,6 +46,17 @@ private HashChecker()
      * @since 1.0.0
      */
     HashChecker(CharSequence plainTextPassword, String hashed)
+    {
+        this.hashed = Utils.fromCharSequenceToBytes(hashed);
+        this.plainTextPassword = Utils.fromCharSequenceToBytes(plainTextPassword);
+    }
+
+    /**
+     * @param plainTextPassword the plain text password as bytes array
+     * @param hashed            the hash to verify as bytes array
+     * @since 1.7.0
+     */
+    HashChecker(byte[] plainTextPassword, byte[] hashed)
     {
         this.hashed = hashed;
         this.plainTextPassword = plainTextPassword;
@@ -86,6 +98,20 @@ public HashChecker addPepper()
      * @since 1.0.0
      */
     public HashChecker addSalt(String salt)
+    {
+        this.salt = Utils.fromCharSequenceToBytes(salt);
+        return this;
+    }
+
+    /**
+     * Add a cryptographic salt in the verifying process.
+     * The salt is applied differently depending on the chosen algorithm.
+     *
+     * @param salt cryptographic salt as bytes array
+     * @return this builder
+     * @since 1.7.0
+     */
+    public HashChecker addSalt(byte[] salt)
     {
         this.salt = salt;
         return this;
@@ -225,9 +251,15 @@ public boolean withArgon2()
         return with(argon2);
     }
 
+    /**
+     * This method returns the String version of the hash bytes. This
+     * should be always a safe operation when using ISO-8859-1 encoding.
+     *
+     * @return String version of the hash
+     */
     protected String getHashed()
     {
-        return hashed;
+        return Utils.fromBytesToString(hashed);
     }
 
 }