Hi everyone, argon2 and bcrypt are now implemented via the new default Shiro2 format. It is fully backwards compatible with the Shiro1 crypt format. Current PR: https://github.com/apache/shiro/pull/273
I would need a second look at the only failing test: DefaultPasswordService.testStringComparisonWhenNotUsingAParsableHashFormat I am not sure yet if it actually makes sense. Maybe we can just deprecate or even remove the non-KDF formats? Am Di., 5. Jan. 2021 um 15:09 Uhr schrieb Francois Papon < [email protected]>: > Hi Benjamin, > > I like the idea of a new Shiro2 CryptFormat with parameters. > > About the bcrypt or OpenBSD-Bcrypt-Base64, I think we can drop some old > crypt format, so I'm agree to ditch them. > > regards, > > François > [email protected] > > Le 04/01/2021 à 15:33, Benjamin Marwell a écrit : > > Hi everyone! > > > > There’s a new draft PR [1] for SHIRO-290 [2] which enables > > argon2, scrypt (tbd), bcrypt. > > > > I need a design decision here before I can continue. > > I would like to introduce a Shiro2 CryptFormat which can hold parameters > > other than just the iteration count, and also the version. E.g. argon2 > > output looks like this: > > > > > > > $argon2i$v=19$m=65536,t=2,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG > > (which is: format-id, version, parameters, hash, salt) > > > > scrypt: > > $7$C6..../....testsalt$8iWefERUpfDgs0B1s2CCn0flMHOLqzCNVMn0AwxoEM8 > > (which is: format-id logN r p salt key) > > > > bcrypt: > > $2y$10$7rOjsAf2U/AKKqpMpCIn6e$tuOXyQ86tp2Tn9xv6FyXl2T0QYc3.G. > > (which is: format-id, iterations, 22 chars Radix64 salt + rest radix64 > data) > > … where Radix64 = OpenBSD-BCrypt-Base64. > > > > The current PR uses the shiro1 crypt format, which will also split up > > bcrypt salt + hash using a '$', but will still retain the Radix64 > > implementation. > > > > Questions from the PR: > > 1.) Introduce a new Shiro2 Crypt Format to better support parameters? > > What would it look like? (PS: Please do not say \n-seperated JSON > aka > > JSON-lines) > > 2.) ditch bcrypt so we can also ditch the special OpenBSD-Bcrypt-Base64? > > 3.) API changes – are they okay the way they are? > > > > Rest see PR. > > > > Thanks! > > Ben > > > > > > [1]: https://github.com/apache/shiro/pull/273 > > [2]: https://issues.apache.org/jira/browse/SHIRO-290 > > >
