public interface Pbkdf2PasswordHash extends PasswordHash
Pbkdf2PasswordHash
implementation.
To use Pbkdf2PasswordHash
with the built-in Database IdentityStore
,
configure this interface type as the hashAlgorithm
value
on the DatabaseIdentityStoreDefinition
annotation.
To configure parameters for Pbkdf2PasswordHash
, specify them as the
hashAlgorithmParameters
value on the DatabaseIdentityStoreDefinition
annotation.
The built-in implementation must support the following configurable parameters:
Pbkdf2PasswordHash.Algorithm // default "PBKDF2WithHmacSHA256" Pbkdf2PasswordHash.Iterations // default 2048, minimum 1024 Pbkdf2PasswordHash.SaltSizeBytes // default 32, minimum 16 Pbkdf2PasswordHash.KeySizeBytes // default 32, minimum 16
And the following PBKDF2 algorithms:
Algorithm names are the string literal names documented for the corresponding algorithms by the Java Cryptography Architecture Standard Algorithm Name Documentation.PBKDF2WithHmacSHA224 PBKDF2WithHmacSHA256 PBKDF2WithHmacSHA384 PBKDF2WithHmacSHA512
The encoded format produced by PasswordHash.generate(char[])
, and consumed by PasswordHash.verify(char[], String)
,
is as follows:
Where:<algorithm>:<iterations>:<base64(salt)>:<base64(hash)>
Because the algorithm and the parameters used to generate the hash are stored with the hash,
the built-in Pbkdf2PasswordHash
implementation can verify hashes generated using algorithm
and parameter values that differ from the currently configured values. This means the configuration
parameters can be changed without impacting the ability to verify existing password hashes.
(Password hashes generated using algorithms/parameters outside the range supported by
Pbkdf2PasswordHash
cannot be verified.)
generate, initialize, verify