<?php
class SafeBcryptWrapperPoC
{
private $staticKey;
private $cost = 12;
public function __construct(
#[\SensitiveParameter]
string $staticKey,
int $cost = 12
) {
$this->staticKey = $staticKey;
$this->cost = $cost;
}
/**
* Generate password hashes here
*/
public function hash(
#[\SensitiveParameter]
string $password
): string {
return \password_hash(
$this->prehash($password),
PASSWORD_BCRYPT,
['cost' => $this->cost]
);
}
/**
* Verify password here
*/
public function verify(
#[\SensitiveParameter]
string $password,
#[\SensitiveParameter]
string $hash
): bool {
return \password_verify(
$this->prehash($password),
$hash
);
}
/**
* Pre-hashing with HMAC-SHA-512 here
*
* Note that this demo doesn't use libsodium, due to 3v4l limitations
*/
private function prehash(
#[\SensitiveParameter]
string $password
): string {
return \base64_encode(
\hash_hmac('sha512', $password, $this->staticKey, true)
);
}
}
$staticKey = random_bytes(32);
$hasher = new SafeBcryptWrapperPoC($staticKey);
$example1 = str_repeat('A', 72);
$example2 = $example1 . 'B';
$hash1 = password_hash($example1, PASSWORD_BCRYPT);
$hash2 = $hasher->hash($example1);
var_dump(password_verify($example2, $hash1));
var_dump($hasher->verify($example2, $hash2));
- Output for 8.2.0 - 8.2.26, 8.3.0 - 8.3.14, 8.4.1
- bool(true)
bool(false)
preferences:
49.79 ms | 406 KiB | 5 Q