1

I need to validate a password in a Symfony 3.3 / FriendsOfSymfony UserBundle 1.3 application from an AWS Lambda function.

The relevant password hashing code in Symfony is here https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php#L52

However the code doesn't produce the same hashes even at the first line.

In Symfony with password=test, salt=asLZCFQJ5flTtOWdphjKtpngthjK6h2FtMRSIZZ2bus

    $salted = $this->mergePasswordAndSalt($raw, $salt);
    $digest = hash($this->algorithm, $salted, true);

    //base64_encode($digest) == '2QhirHmPwt0O5MrtTdfWsWKCCeOQO/y02Di04/aUIJxWhdNDQSGCaUuL1ONLUasdsD88CBSIzGwsePqGTCcQmA=='

    // "stretch" hash
    for ($i = 1; $i < $this->iterations; ++$i) {
        $digest = hash($this->algorithm, $digest.$salted, true);
    }

With the same details in nodejs I get:

    var pass='test';
    var salt='asLZCFQJ5flTtOWdphjKtpngthjK6h2FtMRSIZZ2bus';

    var salted = pass + '{' + salt + '}';

    var digest = sha512.update(salted).digest('binary');

    //new Buffer(digest).toString('base64') == 'w5kIYsKsecKPw4LDnQ7DpMOKw61Nw5fDlsKxYsKCCcOjwpA7w7zCtMOYOMK0w6PDtsKUIMKcVsKFw5NDQSHCgmlLwovDlMOjS1HCqx3CsD88CBTCiMOMbCx4w7rChkwnEMKY'
    for (var i = 1; i < 5000; ++i) {
        digest = require('crypto').createHash('sha512').update(digest + salted).digest('binary');

        process.stdout.write(new Buffer(digest).toString('base64')+"\n");
    }

or is this a character encoding problem? The first 3 characters of the binary hash look very similar in the debuggers.

Screenshot from PHPStorm

Screenshot from PHPStorm

Screenshot from WebStorm

Screenshot from WebStorm

jdog
  • 2,465
  • 6
  • 40
  • 74
  • 4
    I think that you are getting different result in `nodejs` because the implementations of the algorithms are different, [**this**](https://stackoverflow.com/questions/45321362/node-js-js-implementations-of-phps-hex2bin-returns-wrong-results-how-to-get) is a similar scenario. I don't think the problem in coming from character encoding. I think you need to find the right **hashing** module in nodejs that is producing the same results as PHP's hash function – codtex Jan 04 '18 at 07:58

2 Answers2

4

Finally i figured it out, hope it can help someone in the future.The issue comes from characters contact.

./middleware/passwordEncode.js:
const cryptoLib = require('crypto');
const  encryptPassword = (password:any, salt:any) => {
    let salted = password + '{' + salt + '}';
    if (!salt){
        salted = password;
    }
    let digest = cryptoLib.createHash('sha512').update(salted).digest('binary');
    for (let i = 1; i < 5000; i++){
        digest = cryptoLib.createHash('sha512').update( Buffer.concat([Buffer.from(digest, 'binary'), Buffer.from(salted, 'utf8')]) ).digest('binary');
    }
    return ( Buffer.from(digest, 'binary')).toString('base64');
}
module.exports.encryptPassword = encryptPassword;



./middleware/passwordDecode.js:
const passwordEncode = require('../middleware/passwordEncode')
const verifyPassword = (password:any, salt:any, encoded:any) => {
    return encoded === passwordEncode.encryptPassword(password,salt);
}
module.exports.verifyPassword = verifyPassword
Yuan H
  • 56
  • 4
-1

I have resolved this by switching the encryption method to bcrypt. This answer describes how to check the resulting password:https://stackoverflow.com/a/26643637/123594

jdog
  • 2,465
  • 6
  • 40
  • 74
  • 1
    Switching the password encoder is not a valid answer to your original question. I had the same issue, and the anser @Yuan H gave works! In my case I cannot change Symfony's password encoder from MessageDigestPasswordEncoder to BCryptPasswordEncoder as you suggest. The encoder config cannot be changed, so I need to adapt my Node.js so it can work with the current Symfony encoder. – Quiquetas Oct 06 '21 at 21:23
  • You can see in which order these answers happened – jdog Oct 06 '21 at 21:43
  • your're right, my bad – Quiquetas Oct 07 '21 at 18:19
  • no, good reminder for me to update accepted answer – jdog Oct 08 '21 at 01:59