Merge pull request #577 from randilt/implement-password-handling-bcrypt

Add BCrypt and Argon2 password handling to crypto module
ballerina-platform · Jan 20, 2025 · 6c48143 · 6c48143
2 parents d6f4922 + 7becdb6
commit 6c48143
Show file tree

Hide file tree

Showing 9 changed files with 993 additions and 2 deletions.
diff --git a/ballerina/Dependencies.toml b/ballerina/Dependencies.toml
@@ -5,7 +5,7 @@
 
 [ballerina]
 dependencies-toml-version = "2"
-distribution-version = "2201.11.0-20241121-075100-c4c87cbc"
+distribution-version = "2201.11.0-20241218-101200-109f6cc7"
 
 [[package]]
 org = "ballerina"

diff --git a/ballerina/hash.bal b/ballerina/hash.bal
@@ -104,3 +104,64 @@ public isolated function crc32b(byte[] input) returns string = @java:Method {
     name: "crc32b",
     'class: "io.ballerina.stdlib.crypto.nativeimpl.Hash"
 } external;
+
+# Returns a BCrypt hash of the given password with optional work factor.
+# ```ballerina
+# string password = "mySecurePassword123";
+# string|crypto:Error hash = crypto:hashBcrypt(password);
+# ```
+#
+# + password - Password string to be hashed
+# + workFactor - Optional work factor (cost parameter) between 4 and 31. Default is 12
+# + return - BCrypt hashed password string or Error if hashing fails
+public isolated function hashBcrypt(string password, int workFactor = 12) returns string|Error = @java:Method {
+    name: "hashPassword",
+    'class: "io.ballerina.stdlib.crypto.nativeimpl.Password"
+} external;
+
+# Verifies if a password matches a BCrypt hashed password.
+# ```ballerina
+# string password = "mySecurePassword123";
+# string hashedPassword = "$2a$12$LQV3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewYpwBAM7RHF.H9m";
+# boolean|crypto:Error matches = crypto:verifyBcrypt(password, hashedPassword);
+# ```
+#
+# + password - Password string to verify
+# + hashedPassword - BCrypt hashed password to verify against
+# + return - Boolean indicating if password matches or Error if verification fails
+public isolated function verifyBcrypt(string password, string hashedPassword) returns boolean|Error = @java:Method {
+    name: "verifyPassword",
+    'class: "io.ballerina.stdlib.crypto.nativeimpl.Password"
+} external;
+
+# Returns an Argon2id hash of the given password with optional parameters.
+# ```ballerina
+# string password = "mySecurePassword123";
+# string|crypto:Error hash = crypto:hashArgon2(password);
+# ```
+#
+# + password - Password string to be hashed
+# + iterations - Optional number of iterations. Default is 3
+# + memory - Optional memory usage in KB. Default is 65536 (64MB)
+# + parallelism - Optional degree of parallelism. Default is 4
+# + return - Argon2id hashed password string or Error if hashing fails
+public isolated function hashArgon2(string password, int iterations = 3, int memory = 65536, int parallelism = 4) returns string|Error = @java:Method {
+    name: "hashPasswordArgon2",
+    'class: "io.ballerina.stdlib.crypto.nativeimpl.PasswordArgon2"
+} external;
+
+# Verifies if a password matches an Argon2id hashed password.
+# ```ballerina
+# string password = "mySecurePassword123";
+# string hashedPassword = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$hash";
+# boolean|crypto:Error matches = crypto:verifyArgon2(password, hashedPassword);
+# ```
+#
+# + password - Password string to verify
+# + hashedPassword - Argon2id hashed password to verify against
+# + return - Boolean indicating if password matches or Error if verification fails
+public isolated function verifyArgon2(string password, string hashedPassword) returns boolean|Error = @java:Method {
+    name: "verifyPasswordArgon2",
+    'class: "io.ballerina.stdlib.crypto.nativeimpl.PasswordArgon2"
+} external;
+