1

I need to validate a password in a Symfony 3.3 / FriendsOfSymfony UserBundle 1.3 application from an AWS Lambda function.

The relevant password hashing code in Symfony is here https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php#L52

However the code doesn't produce the same hashes even at the first line.

In Symfony with password=test, salt=asLZCFQJ5flTtOWdphjKtpngthjK6h2FtMRSIZZ2bus

    $salted = $this->mergePasswordAndSalt($raw, $salt);
    $digest = hash($this->algorithm, $salted, true);

    //base64_encode($digest) == '2QhirHmPwt0O5MrtTdfWsWKCCeOQO/y02Di04/aUIJxWhdNDQSGCaUuL1ONLUasdsD88CBSIzGwsePqGTCcQmA=='

    // "stretch" hash
    for ($i = 1; $i < $this->iterations; ++$i) {
        $digest = hash($this->algorithm, $digest.$salted, true);
    }

With the same details in nodejs I get:

    var pass='test';
    var salt='asLZCFQJ5flTtOWdphjKtpngthjK6h2FtMRSIZZ2bus';

    var salted = pass + '{' + salt + '}';

    var digest = sha512.update(salted).digest('binary');

    //new Buffer(digest).toString('base64') == 'w5kIYsKsecKPw4LDnQ7DpMOKw61Nw5fDlsKxYsKCCcOjwpA7w7zCtMOYOMK0w6PDtsKUIMKcVsKFw5NDQSHCgmlLwovDlMOjS1HCqx3CsD88CBTCiMOMbCx4w7rChkwnEMKY'
    for (var i = 1; i < 5000; ++i) {
        digest = require('crypto').createHash('sha512').update(digest + salted).digest('binary');

        process.stdout.write(new Buffer(digest).toString('base64')+"\n");
    }

or is this a character encoding problem? The first 3 characters of the binary hash look very similar in the debuggers.

Screenshot from PHPStorm

Screenshot from PHPStorm

Screenshot from WebStorm

Screenshot from WebStorm

Improve this question
1
  • 4
    I think that you are getting different result in nodejs because the implementations of the algorithms are different, this is a similar scenario. I don't think the problem in coming from character encoding. I think you need to find the right hashing module in nodejs that is producing the same results as PHP's hash function Commented Jan 4, 2018 at 7:58

2 Answers 2

Reset to default
4

Finally i figured it out, hope it can help someone in the future.The issue comes from characters contact.

./middleware/passwordEncode.js:
const cryptoLib = require('crypto');
const  encryptPassword = (password:any, salt:any) => {
    let salted = password + '{' + salt + '}';
    if (!salt){
        salted = password;
    }
    let digest = cryptoLib.createHash('sha512').update(salted).digest('binary');
    for (let i = 1; i < 5000; i++){
        digest = cryptoLib.createHash('sha512').update( Buffer.concat([Buffer.from(digest, 'binary'), Buffer.from(salted, 'utf8')]) ).digest('binary');
    }
    return ( Buffer.from(digest, 'binary')).toString('base64');
}
module.exports.encryptPassword = encryptPassword;



./middleware/passwordDecode.js:
const passwordEncode = require('../middleware/passwordEncode')
const verifyPassword = (password:any, salt:any, encoded:any) => {
    return encoded === passwordEncode.encryptPassword(password,salt);
}
module.exports.verifyPassword = verifyPassword
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

I have resolved this by switching the encryption method to bcrypt. This answer describes how to check the resulting password:https://stackoverflow.com/a/26643637/123594

Improve this answer

4 Comments

Switching the password encoder is not a valid answer to your original question. I had the same issue, and the anser @Yuan H gave works! In my case I cannot change Symfony's password encoder from MessageDigestPasswordEncoder to BCryptPasswordEncoder as you suggest. The encoder config cannot be changed, so I need to adapt my Node.js so it can work with the current Symfony encoder.
You can see in which order these answers happened
your're right, my bad
no, good reminder for me to update accepted answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.