Module org.glassfish.soteria

Package org.glassfish.soteria.identitystores.hash

Class PasswordHashCompare

java.lang.Object

org.glassfish.soteria.identitystores.hash.PasswordHashCompare

public class PasswordHashCompare
extends Object

Constructor Summary

Constructors

Constructor	Description
PasswordHashCompare()

Method Summary

Modifier and Type	Method	Description
static boolean	compareBytes(byte[] array1, byte[] array2)	Compare two password hashes for equality.
static boolean	compareChars(char[] array1, char[] array2)	Compare two passwords, represented as character arrays.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PasswordHashCompare

public PasswordHashCompare()

Method Detail

compareBytes

public static boolean compareBytes(byte[] array1,
                                   byte[] array2)

Compare two password hashes for equality. Do not fail fast; continue comparing bytes even if a difference has been found, to reduce the possibility that timing attacks can be used to guess passwords.

The two hashes can be different lengths if the hash algorithm or parameters used to generate them weren't the same.

Use the length of the first parameter (hash of the password being verified) to determine how many bytes are compared, so that the comparison time doesn't reflect the length of the second parameter (hash of the caller's actual password).

Use XOR instead of == to compare characters, to avoid branching. Branches can introduce timing differences depending on the branch taken and the CPU's branch prediction state.

Parameters:

array1 - Hash of the password to verify.

array2 - Hash of the caller's actual password, for comparison.

Returns:

True if the password hashes match, false otherwise.

compareChars

public static boolean compareChars(char[] array1,
                                   char[] array2)

Compare two passwords, represented as character arrays.

Note that passwords should never be stored as plaintext, but this method may be useful for, e.g., verifying a password stored in encrypted form in a database, and decrypted for comparison.

Behavior and theory operation are the same as for compareBytes, except that the parameters are character arrays.

Parameters:

array1 - The password to verify.

array2 - The caller's actual password, for comparison.

Returns:

True if the passwords match, false otherwise.