Package jakarta.security.enterprise.identitystore

Interface Pbkdf2PasswordHash

All Superinterfaces:
PasswordHash
public interface Pbkdf2PasswordHash extends PasswordHash
This interface represents the built-in Pbkdf2PasswordHash implementation.

To use Pbkdf2PasswordHash with the built-in Database IdentityStore, configure this interface type as the hashAlgorithm value on the DatabaseIdentityStoreDefinition annotation.

To configure parameters for Pbkdf2PasswordHash, specify them as the hashAlgorithmParameters value on the DatabaseIdentityStoreDefinition annotation.

The built-in implementation must support the following configurable parameters: 

Pbkdf2PasswordHash.Algorithm      // default "PBKDF2WithHmacSHA256"
Pbkdf2PasswordHash.Iterations     // default 2048, minimum 1024
Pbkdf2PasswordHash.SaltSizeBytes  // default 32, minimum 16
Pbkdf2PasswordHash.KeySizeBytes   // default 32, minimum 16

And the following PBKDF2 algorithms: 

PBKDF2WithHmacSHA224
PBKDF2WithHmacSHA256
PBKDF2WithHmacSHA384
PBKDF2WithHmacSHA512
Algorithm names are the string literal names documented for the corresponding algorithms by the Java Cryptography Architecture Standard Algorithm Name Documentation.

The encoded format produced by PasswordHash.generate(char[]), and consumed by PasswordHash.verify(char[], String), is as follows: 

<algorithm>:<iterations>:<base64(salt)>:<base64(hash)>
Where:
  • algorithm -- the algorithm used to generate the hash
  • iterations -- the number of iterations used to generate the hash
  • base64(salt) -- the salt used to generate the hash, base64-encoded
  • base64(hash) -- the hash value, base64-encoded

Because the algorithm and the parameters used to generate the hash are stored with the hash, the built-in Pbkdf2PasswordHash implementation can verify hashes generated using algorithm and parameter values that differ from the currently configured values. This means the configuration parameters can be changed without impacting the ability to verify existing password hashes.

(Password hashes generated using algorithms/parameters outside the range supported by Pbkdf2PasswordHash cannot be verified.)

See Also: