Security: support Modular Crypt Format or its successor PHC #5667
Comments
|
https://www.npmjs.com/package/@phc/bcrypt has examples of the PHC format for bcrypt. |
|
http://wildfly-security.github.io/wildfly-elytron/1.9.x/api-javadoc/org/wildfly/security/password/util/ModularCrypt.html has support for MCF, so it's just a matter of being able to use it. As for PHC, we probably need to add support for it in Elytron, WDYT @dmlloyd ? |
|
If PHC is, as they claim, a "well defined subset of the Modular Crypt Format" then it's just a question of adding support for whatever additional formats we are missing. The PHC document at https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md mentions a few password types which are not supported presently by Elytron, specifically the "argon" group of algorithms. |
|
OK. Though it turns out, looking at the sources of elytron-jdbc, that they appear to support MCF, given this code: if (saltColumn == -1 && iterationCountColumn == -1) {
// try modular crypt
final String s = getStringColumn(metaData, resultSet, hashColumn);
if (s != null) {
final char[] chars = s.toCharArray();
final String identified = ModularCrypt.identifyAlgorithm(chars);
if (identified != null) {
try {
Password modularCryptPassword = ModularCrypt.decode(chars);
if (log.isTraceEnabled()) {
log.tracef("Key Mapper: Password credential created using Modular Crypt algorithm [%s]", identified);
}
return new PasswordCredential(modularCryptPassword);
} catch (InvalidKeySpecException e) {
log.tracef(e, "Key Mapper: Unable to identify Modular Crypt algorithm [%s]", identified);
}
}
}
}And in the builder, It's entirely possible that at least for Could you test this please @wowselim and report back? If it works, then we might just have to update our config defaults and documentation. Thanks a lot. |
|
@FroMage you're right, it's supported indeed. Here's a project with a working test to demonstrate: |
|
Awesome! So the config required is: quarkus.security.jdbc.enabled=true
quarkus.security.jdbc.principal-query.sql=SELECT password, role FROM account WHERE email=?
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.enabled=true
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.password-index=1
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.salt-index=-1
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.iteration-count-index=-1I think we should document this, and also make WDYT @sberyozkin ? |
|
It's probably best to change their type to |
|
Sure. |
|
I've created two PRs updating the documentation as well as the quickstart project. See #39122 |
|
The docs are great, but we should also fix the default values of the salt/iteration config values to simplify. |
ATM our security extensions support several sorts of algorithms:
HEX( MD5( username ":" realm ":" password ) )We should support MCF and/or its successor PHC for both options, even if we don't support all the algo types.
The text was updated successfully, but these errors were encountered: