[wildfly-dev] On the WildFly Elytron PasswordFactory API
Anil Saldhana
Anil.Saldhana at redhat.com
Wed Jun 11 11:33:41 EDT 2014
On 06/11/2014 09:30 AM, David M. Lloyd wrote:
> On 06/04/2014 11:07 AM, David M. Lloyd wrote:
> [...]
>> Example: Encrypting a new password
>> ----------------------------------
>>
>> PasswordFactory pf = PasswordFactory.getInstance("sha1crypt");
>> // API not yet established but will be similar to this possibly:
>> ???? parameters = new
>> ???SHA1CryptPasswordParameterSpec("p4ssw0rd".toCharArray());
>> Password encrypted = pf.generatePassword(parameters);
>> assert encrypted instanceof SHA1CryptPassword;
> I have a concrete specification for this example now:
>
> PasswordFactory pf = PasswordFactory.getInstance("sha-256-crypt");
> // use a 64-byte random salt; most algorithms support flexible sizes
> byte[] salt = new byte[64];
> ThreadLocalRandom.current().getBytes(salt);
> // iteration count is 4096, can generally be more (or less)
> AlgorithmParameterSpec aps =
> new HashedPasswordAlgorithmSpec(4096, salt);
> char[] chars = "p4ssw0rd".toCharArray();
> PasswordSpec spec = new EncryptablePasswordSpec(chars, aps);
> Password pw = pf.generatePassword(spec);
> assert pw.getAlgorithm().equals("sha-256-crypt");
> assert pw instanceof UnixSHACryptPassword;
> assert pf.verifyPassword(pw, chars);
>
- Best is to make the salt and iteration count configurable.
- Opportunities to inject a custom random generator.
The following may be important :
- RW the masked password to a file.
I will think further on the usecases we have seen over the years and
report back.
More information about the wildfly-dev
mailing list