Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace Bouncy Castle's OpenBSDBCrypt used in password hashing and verification #4361

Closed
dancristiancecoi opened this issue May 23, 2024 · 2 comments
Closed

Replace Bouncy Castle's OpenBSDBCrypt used in password hashing and verification #4361

dancristiancecoi opened this issue May 23, 2024 · 2 comments
Assignees
@dancristiancecoi
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v2.15.0 Issues targeting release v2.15.0

Comments

@dancristiancecoi
Copy link
Contributor

dancristiancecoi commented May 23, 2024
edited
Loading

Is your feature request related to a problem?

Currently the password hashing and verification logic is built around Bouncy Castle's OpenBSDBCrypt. This will present a problem in FIPS enabled environments as BCrypt is not a FIPS compliant algorithm & the BouncyCastle provider itself is not FIPS enabled.

What solution would you like?

I propose we remove any references to OpenBSDBCrypt from the code & replace it with an implementation built around the Password4J library.

In my opinion these are the points in favor of Password4j:

  • Open Source with an Apache License
  • Actively maintained
  • Supports BCrypt, Argon2, SCrypt, PBKDF2
  • Straightforward API
  • Backwards compatible (it can verify hashes generated by the current BouncyCastle/OpenBSDBCrypt implementation)
  • Supports updating of existing hashes (to a more secure configuration or to an entirely different algorithm).
  • Relatively popular

Do you have any additional context?

This will help towards the following issues:
@dancristiancecoi
Copy link
Contributor Author

Please assign to me once triaged.

@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label May 23, 2024
@dancristiancecoi dancristiancecoi mentioned this issue May 30, 2024
Merged
3 tasks
@stephen-crawford
Copy link
Contributor

[Triage] Hi @dancristiancecoi thanks for filing this issue. Looks good. Assigning to you as requested.

@stephen-crawford stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jun 3, 2024
@cwperks cwperks added the v2.15.0 Issues targeting release v2.15.0 label Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dancristiancecoi dancristiancecoi

Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v2.15.0 Issues targeting release v2.15.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dancristiancecoi @cwperks @stephen-crawford