Add PBKDF2 Hashing support#596
Conversation
randilt
requested review from
DimuthuMadushan,
MohamedSabthar,
ThisaruGuruge and
shafreenAnfar
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #596 +/- ##
============================================
- Coverage 83.47% 82.22% -1.26%
- Complexity 226 239 +13
============================================
Files 30 29 -1
Lines 1283 1367 +84
Branches 180 190 +10
============================================
+ Hits 1071 1124 +53
- Misses 169 197 +28
- Partials 43 46 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-authored-by: DimuthuMadushan <35717653+DimuthuMadushan@users.noreply.github.com>
| * @return formatted PBKDF2 salt string | ||
| */ | ||
| public static String formatPBKDF2Salt(String algorithm, long iterations, String saltBase64) { | ||
| return String.format(Locale.ROOT, "$pbkdf2-%s$i=%d$%s", |
There was a problem hiding this comment.
Shall we make $pbkdf2-%s$i=%d$%s a constant?
| public static Object verifyPasswordPBKDF2(BString password, BString hashedPassword) { | ||
| try { | ||
| String hash = hashedPassword.getValue(); | ||
| Pattern pattern = Pattern.compile("\\$pbkdf2-(\\w+)\\$i=(\\d+)\\$([A-Za-z0-9+/=]+)\\$([A-Za-z0-9+/=]+)"); |
|
@MohamedSabthar, can you review this please? |
| * @param algorithm the HMAC algorithm to validate | ||
| * @return null if valid, error if invalid | ||
| */ | ||
| public static Object validatePBKDF2Algorithm(String algorithm) { |
There was a problem hiding this comment.
| public static Object validatePBKDF2Algorithm(String algorithm) { | |
| public static Object validatePbkdf2Algorithm(String algorithm) { |
Rename validatePBKDF2Algorithm to validatePbkdf2Algorithm to align with camel case conventions, making it more readable and consistent with standard Java naming practices we follow.
Let's update other places.
native/src/main/java/io/ballerina/stdlib/crypto/nativeimpl/Password.java
Show resolved
Hide resolved
| /** | ||
| * Default number of iterations for PBKDF2. | ||
| */ | ||
| public static final int DEFAULT_PBKDF2_ITERATIONS = 10000; |
There was a problem hiding this comment.
Is there a reason to maintain constants for default values here? Ideally, these values are already defined as defaultable parameters in the Ballerina code. Instead of maintaining them separately in both Java and Ballerina, we should consider reading and using the values directly from Ballerina to avoid duplication.
There was a problem hiding this comment.
Yes, but I think keeping the default values on the Java side would also be good. in the future, if these functions are used internally within the library for testing or any other purposes, they would still work with those default values. Additionally, if for some reason the values don’t get passed from the Ballerina side, the default values would act as a safety net. Let me know if you think it's better to remove them @MohamedSabthar
There was a problem hiding this comment.
Thanks for the clarification @randilt! I understand your point, but I still think it's better to avoid duplicating default values in both places. Having a single source of truth helps reduce the risk of inconsistencies and makes maintenance easier in the long run. If there's ever a case where defaults are needed in Java (e.g., for internal tests), we can consider injecting or reading them from the Ballerina side rather than hardcoding. So I'd still prefer removing them from Java for now.
native/src/main/java/io/ballerina/stdlib/crypto/nativeimpl/Password.java
Outdated
Show resolved
Hide resolved
…rpolation for improved readability
…rypt, Argon2, and PBKDF2
|
The suggested changes have been made, could you please check @daneshk @MohamedSabthar |
docs/spec/spec.md
Outdated
| Implements the PBKDF2 (Password-Based Key Derivation Function 2) algorithm for password hashing. | ||
|
|
||
| ```ballerina | ||
| public isolated function hashPbkdf2(string password, int iterations = 10000, |
There was a problem hiding this comment.
Let's update the spec and proposal with the enum change
Co-authored-by: MohamedSabthar <sabtharugc0@gmail.com>
Added few comments |
|
Did the necessary changes please check @MohamedSabthar |
docs/spec/spec.md
Outdated
| * 2.5. [SHA512](#25-sha512) | ||
| * 2.6. [CRC32B](#26-crc32b) | ||
| * 2.7. [KECCAK256](#27-keccak256) | ||
| - 2.1. [MD5](#21-md5) |
There was a problem hiding this comment.
@randilt shall we update the code with previous formatting?
replace them with '*' instead of '-'.
We follow this same convention across all library modules.
Hi @randilt, the PR looks good overall 🙌. I’ve added a minor comment. Once those are fixed, we can go ahead and merge the PR. |
…tils and Password classes
|
|
@MohamedSabthar I applied the changes you suggested, please check and let me know if anything else needs to be changed or added. |
MohamedSabthar
merged commit 6346d39
into
ballerina-platform:master
4 participants
Purpose
Resolves: #43926
This PR introduces two new APIs to the Ballerina
cryptomodule for password hashing and verification using PBKDF2.Newly Added APIs
crypto:hashPbkdf2()- Generates a PBKDF2 hash of a given password with optional parameters for iterations and hash algorithm.crypto:verifyPbkdf2()- Verifies whether a given password matches a PBKDF2 hashed password.Examples
1. Hashing a Password using PBKDF2
Parameters:
password- The password string to be hashed.iterations(optional) - The number of iterations (default:10,000).algorithm(optional) - HMAC algorithm (SHA1,SHA256,SHA512, default:SHA256).2. Verifying a PBKDF2 Hashed Password
Parameters:
password- The password string to verify.hashedPassword- The PBKDF2 hashed password to compare against.Checklist