即使密码不同,jBCrypt checkpw也会返回true

时间:2017-12-14 22:03:12

标签: jbcrypt

我非常确定我必须做一些完全错误的事情,但为什么这个测试在最后两个断言中失败了?

两个相对相似,但不同的字符串(基本上是JWT)测试其他的哈希值?

@Test
public void testMoreHashing() {

    String longToken =  "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IkNZOXJ6VVloMDNQSzNrNkRKaWUwOWc9PSIsIm5iZiI6MTUxMzI4NzAzNCwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM0LCJpYXQiOjE1MTMyODcwMzQsImVtYWlsIjoiYUBiLmNvbSJ9.IYMKztYEIJxzYgHpUDhCHcG22h28OQAsMg7TEMBVYELSczeniwv8IKxgrSBub9Q0X14UT6LnQUu4yeeTofRYH2jRSwW42gfaW5uK8NJQVdluNdZwUsWHVG05gbaSM7ZeS4tH3-SVbUOO3uJ-N2sVcBF5AFLaIAu0GD9CzPU1CjYYc9JiAArztAS5j7pK-xGNTRCKvcoGLa9iG9nhvssTZkPH6kPOJj9RHFo30mgSnPIGSc6040h7n8X7LCUC4qfUe1sOknHomN_RKTQk4Q5FBL1snTyCTxcaErVwvjv__YK9FQ40pDfOboEsSk81CYW6SbqDIdVlyr09VrDzIwJpPA";
    String shortToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IlU3bFFoV09TUDBmMDdOZ1BWTkd3d0E9PSIsIm5iZiI6MTUxMzI4NzAzNSwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM1LCJpYXQiOjE1MTMyODcwMzUsImVtYWlsIjoiYUBiLmNvbSJ9.";

    String longTokenHash = BCrypt.hashpw(longToken, BCrypt.gensalt(13));
    assertTrue(BCrypt.checkpw(longToken, longTokenHash));

    String shortTokenHash = BCrypt.hashpw(shortToken, BCrypt.gensalt(13));
    assertTrue(BCrypt.checkpw(shortToken, shortTokenHash));

    assertFalse(longToken.equalsIgnoreCase(shortToken));
    assertFalse(longTokenHash.equalsIgnoreCase(shortTokenHash));
    assertFalse(longToken.contains(shortToken));

    assertFalse(BCrypt.checkpw(longToken, shortTokenHash));
    assertFalse(BCrypt.checkpw(shortToken, longTokenHash));
}

从我的pom.xml复制的jBCrypt的使用版本是

<dependency>
    <groupId>de.svenkubiak</groupId>
    <artifactId>jBCrypt</artifactId>
    <version>0.4</version>
</dependency>

junit是版本4.12

感谢您的帮助:)

1 个答案:

答案 0 :(得分:2)

正如@tadman所指出的那样,使用的blowfish算法将密码截断为72个字符,所使用密码的差异仅从79开始。 另见https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length