<?php
class SafeBcryptWrapperPoC
{
private $staticKey;
private $cost = 12;
public function __construct(
#[\SensitiveParameter]
string $staticKey,
int $cost = 12
) {
$this->staticKey = $staticKey;
$this->cost = $cost;
}
/**
* Generate password hashes here
*/
public function hash(
#[\SensitiveParameter]
string $password
): string {
return \password_hash(
$this->prehash($password),
PASSWORD_BCRYPT,
['cost' => $this->cost]
);
}
/**
* Verify password here
*/
public function verify(
#[\SensitiveParameter]
string $password,
#[\SensitiveParameter]
string $hash
): bool {
return \password_verify(
$this->prehash($password),
$hash
);
}
/**
* Pre-hashing with HMAC-SHA-512 here
*
* Note that this demo doesn't use libsodium, due to 3v4l limitations
*/
private function prehash(
#[\SensitiveParameter]
string $password
): string {
return \base64_encode(
\hash_hmac('sha512', $password, $this->staticKey, true)
);
}
}
$staticKey = random_bytes(32);
$hasher = new SafeBcryptWrapperPoC($staticKey);
$example1 = str_repeat('A', 72);
$example2 = $example1 . 'B';
$hash1 = password_hash($example1, PASSWORD_BCRYPT);
$hash2 = $hasher->hash($example1);
var_dump(password_verify($example2, $hash1));
var_dump($hasher->verify($example2, $hash2));
preferences:
23.8 ms | 410 KiB | 5 Q