Hash password in PHP and verify with Java (PASSWORD_BCRYPT & jBcrypt)

Question

I have a question regarding the hashing of password. I am using this on the webpage:

$pw = password_hash($_POST[password], PASSWORD_BCRYPT);

After that I store this result in the database. With my Java Web Service I want to verify the password. For that I am using this method:

   if (BCrypt.checkpw(password, dbPwd)){
       return Response.ok("ok").build();
   }

dbPwd is the one I stored and password is the password in plain text from the first method. Unfortunately I am receiving this error code:

javax.servlet.ServletException: java.lang.IllegalArgumentException: Invalid salt revision

Update

I found in the internet, that there is a "bug" the Java method is using the 2y and the jBcrypt is using 2a. I tried it with 2a and it works, but how can I fix this/ make it work?

Answer 1

After a lot of digging I found a newer implementation of the jBcrypt library: https://github.com/patrickfav/bcrypt

I use Scala but the concepts are essentially the same and to verify a $2y$ hash I've created a small utility function:

import at.favre.lib._

  /**
    * Verifies an encrypted password against the expected value
    *
    * @link https://github.com/patrickfav/bcrypt
    * @param hash The hashed password (encypted with BCrypt version $2Y$)
    * @param password The unencrypted password string
    */
  private def verifyBcryptHash(hash: String, password: String): Boolean = {
    if (hash == null || hash.trim.isEmpty)
      false
    else
      BCrypt
        .verifyer()
        .verifyStrict(
          password.toCharArray(),
          hash.toCharArray(),
          BCrypt.Version.VERSION_2Y
        )
        .verified
  }