Different results with Blowfish between java 6 and java 8

Question

public class Main {

public static void main(String[] args) {
    String result = blowfish("123123");
    System.out.println(result);
}

public static String blowfish(String source) {
    final String BLOWFISH_KEY = "22ddba9832444234";

    try {
        Cipher cipher = Cipher.getInstance("Blowfish/ECB/PKCS5Padding");

        cipher.init(
                Cipher.ENCRYPT_MODE,
                new SecretKeySpec(BLOWFISH_KEY.getBytes("UTF-8"), "Blowfish")
        );
        return new String(cipher.doFinal(source.getBytes("UTF-8")));

    } catch (Exception e) {
        e.printStackTrace(System.out);
        return null;
     }
   }
}

If I run this code with java 6 oracle and then run with java 8 openJdk gives me different outputs, Why?

then they are equal @kelalaka, why? if compare with string then they are not — Andrews Silva, Jun 04 '20 at 22:39
`return new String(cipher.doFinal(source.getBytes("UTF-8")));` this is almost always a bug, and it is in this case. String is not meant to be a holder for arbitrary byte sequences. The data is corrupted in the process. It may be that the default charset changed between your java 6 and java 8, and that's another lesson: never use the default charset. — President James K. Polk, Jun 05 '20 at 00:22
@PresidentJamesK.Polk is from legacy system, and in the cloud VM is giving different results. — Andrews Silva, Jun 05 '20 at 00:43

Andrews Silva · Accepted Answer · 2020-06-05T15:26:34.903

3

I found the problem, thanks everybody for the help, was the UTF-8, in java 6 and 7 the implementation is different from java 8, and java 6 IBM, what helped me was implement UTF_8.class from openjdk 8 on jdk 6. For more help look here Java 8 change in UTF-8 decoding.

https://gist.github.com/AndrewsK30/30ad3e63203f2ebcbbab66619ec7c064

Just use new String(arrayByte,new CustomCharset())

edited Jun 05 '20 at 15:26

answered Jun 05 '20 at 01:43

Andrews Silva

51
1
8

Could you write your code into your solution? Actually, we prefer base64 encoding/decoding. – kelalaka Jun 05 '20 at 09:32
1

@kelalaka Base64 or byte to hex is the way to go, but in a legacy system they used byte to UTF-8 and then HEX and saved to the database the password, the problem with this is I have to use UTF-8 because the password are encrypted this way. So in jdk 6 and jdk6 IBM they implement UTF-8 in different way for invalid char. So I copied the implementation of OpenJdk 8 and now is working. – Andrews Silva Jun 05 '20 at 15:23
This will also not work, in the sense that you will be unable to decrypt what you have encrypted. You must be using this as some kind of home-grown password hash. That CustomCharset class is too much code to read but this scheme can greatly weaken an already weak password authentication scheme. Anybody else reading this should **NOT** use this method. – President James K. Polk Jun 06 '20 at 21:33
@PresidentJamesK.Polk yes, but in my case is very old legacy system and will die in some months, this is more a monkey patch. – Andrews Silva Jun 07 '20 at 21:03

Different results with Blowfish between java 6 and java 8

1 Answers1