Polish Pbkdf2PasswordEncoder

Issue gh-3930

crypto/src/main/java/org/springframework/security/crypto/password/Pbkdf2PasswordEncoder.java

@@ -89,7 +89,7 @@ public class Pbkdf2PasswordEncoder implements PasswordEncoder {
 	@Override
 	public String encode(CharSequence rawPassword) {
 		byte[] salt = this.saltGenerator.generateKey();
-		byte[] encoded = encodeAndConcatenate(rawPassword, salt);
+		byte[] encoded = encode(rawPassword, salt);
 		return String.valueOf(Hex.encode(encoded));
 	}
 
@@ -97,11 +97,7 @@ public class Pbkdf2PasswordEncoder implements PasswordEncoder {
 	public boolean matches(CharSequence rawPassword, String encodedPassword) {
 		byte[] digested = Hex.decode(encodedPassword);
 		byte[] salt = subArray(digested, 0, this.saltGenerator.getKeyLength());
-		return matches(digested, encodeAndConcatenate(rawPassword, salt));
-	}
-
-	private byte[] encodeAndConcatenate(CharSequence rawPassword, byte[] salt) {
-		return encode(rawPassword, salt);
+		return matches(digested, encode(rawPassword, salt));
 	}
 
 	/**
@@ -130,4 +126,4 @@ public class Pbkdf2PasswordEncoder implements PasswordEncoder {
 			throw new IllegalStateException("Could not create hash", e);
 		}
 	}
-}
+}

crypto/src/test/java/org/springframework/security/crypto/password/Pbkdf2PasswordEncoderTests.java

@@ -15,8 +15,13 @@
  */
 package org.springframework.security.crypto.password;
 
+import java.util.Arrays;
+
 import org.junit.Test;
 
+import org.springframework.security.crypto.codec.Hex;
+import org.springframework.security.crypto.keygen.KeyGenerators;
+
 import static org.assertj.core.api.Assertions.assertThat;
 
 public class Pbkdf2PasswordEncoderTests {
@@ -50,6 +55,26 @@ public class Pbkdf2PasswordEncoderTests {
 		assertThat(encodeFirst).isNotEqualTo(encodeSecond);
 	}
 
+	@Test
+	public void passivity() {
+		String encodedPassword = "ab1146a8458d4ce4e65789e5a3f60e423373cfa10b01abd23739e5ae2fdc37f8e9ede4ae6da65264";
+		String rawPassword = "password";
+		assertThat(this.encoder.matches(rawPassword, encodedPassword)).isTrue();
+	}
+
+	@Test
+	public void migrate() {
+		final int saltLength = KeyGenerators.secureRandom().getKeyLength();
+		String encodedPassword = "ab1146a8458d4ce4e65789e5a3f60e423373cfa10b01abd23739e5ae2fdc37f8e9ede4ae6da65264";
+		String originalEncodedPassword = "ab1146a8458d4ce4ab1146a8458d4ce4e65789e5a3f60e423373cfa10b01abd23739e5ae2fdc37f8e9ede4ae6da65264";
+		byte[] originalBytes = Hex.decode(originalEncodedPassword);
+		byte[] fixedBytes = Arrays.copyOfRange(originalBytes, saltLength,
+				originalBytes.length);
+		String fixedHex = String.valueOf(Hex.encode(fixedBytes));
+
+		assertThat(fixedHex).isEqualTo(encodedPassword);
+	}
+
 	/**
 	 * Used to find the iteration count that takes .5 seconds.
 	 */