Open
Description
Summary
During the matches operation, SCryptPasswordEncoder retains the instance keyLength rather than the target digest keyLength. It makes it very difficult to verify non-homogenous digests with different key lengths.
Why is that? A security consideration?
Actual Behavior
SCryptPasswordEncoder matches operation fails if instance keyLength differs from target digest key length.
Expected Behavior
SCryptPasswordEncoder matches operation ought to use the target digest key length.
Configuration
SCryptPasswordEncoder instance keyLength differs from target digest key length.
Version
4.2.3.RELEASE
Sample
Simple example prints true
SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(encoder.matches(raw, digest));
Instance parameters differ from digest parameters, except key length - prints true
SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
SCryptPasswordEncoder tester = new SCryptPasswordEncoder(1024, 8, 1, 32, 24);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(tester.matches(raw, digest));
Only the key length differs - prints false
SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
SCryptPasswordEncoder tester = new SCryptPasswordEncoder(8192, 16, 1, 24, 32);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(tester.matches(raw, digest));