Skip to content

chore(innkeeper): upgrade bcrypt to 5.x and add 72-byte compat #1852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
esune merged 2 commits into from
Feb 25, 2026
Merged

chore(innkeeper): upgrade bcrypt to 5.x and add 72-byte compat #1852

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
083025e
chore(innkeeper): upgrade bcrypt to 5.x and add 72-byte compat; pin m…
PatStLouis Feb 25, 2026
ca1fe1e
address pr comments
PatStLouis Feb 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,7 @@ plugins/poetry.lock
.idea
**/.idea
.python-version

# pytest-cov
.coverage
**/.coverage
114 changes: 76 additions & 38 deletions plugins/traction_innkeeper/poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 4 additions & 3 deletions plugins/traction_innkeeper/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,13 @@ packages = [{include = "traction_innkeeper"}]
python = "^3.13"
acapy-agent = { version = "1.5.0rc0" }
python-dateutil = "^2.9.0"
bcrypt = "^4.2.1"
bcrypt = "^5.0.0"
mergedeep = "^1.3.4"
typing-extensions = "4.15.0"
anoncreds = "^0.2.3"
multitenant-provider = {git = "https://github.com/openwallet-foundation/acapy-plugins", rev = "1.4.0", subdirectory = "multitenant_provider"}
connections = {git = "https://github.com/openwallet-foundation/acapy-plugins", rev = "1.4.0", subdirectory = "connections"}
# main: multitenant_provider and connections use bcrypt ^5.0.0
multitenant-provider = {git = "https://github.com/openwallet-foundation/acapy-plugins", rev = "main", subdirectory = "multitenant_provider"}
connections = {git = "https://github.com/openwallet-foundation/acapy-plugins", rev = "main", subdirectory = "connections"}
Comment thread
esune marked this conversation as resolved.

[tool.poetry.group.dev.dependencies]
ruff = "^0.14.5"
Expand Down
20 changes: 20 additions & 0 deletions plugins/traction_innkeeper/traction_innkeeper/v1_0/innkeeper/bcrypt_compat.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
"""Bcrypt 5.x compatibility: limit password to 72 bytes to avoid ValueError."""

import logging

# Bcrypt 5.0+ raises ValueError for passwords longer than 72 bytes
BCRYPT_MAX_PASSWORD_BYTES = 72

LOGGER = logging.getLogger(__name__)


def limit_for_bcrypt(password_bytes: bytes) -> bytes:
"""Truncate password to 72 bytes for bcrypt 5.x compatibility."""
if len(password_bytes) > BCRYPT_MAX_PASSWORD_BYTES:
LOGGER.warning(
"Password or key input exceeded 72 bytes (bcrypt limit); truncated to 72 bytes for hashing. "
"Original length: %d bytes.",
len(password_bytes),
)
return password_bytes[:BCRYPT_MAX_PASSWORD_BYTES]
return password_bytes
Comment thread
PatStLouis marked this conversation as resolved.
16 changes: 10 additions & 6 deletions plugins/traction_innkeeper/traction_innkeeper/v1_0/innkeeper/tenant_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
import logging
from typing import List, Optional

from .bcrypt_compat import limit_for_bcrypt

from acapy_agent.core.error import BaseError
from acapy_agent.core.profile import Profile
from acapy_agent.messaging.models.base import BaseModelError
Expand Down Expand Up @@ -240,19 +242,20 @@ def check_reservation_password(
return None

# make a hash from passed in value with saved salt...
pwd_bytes = limit_for_bcrypt(reservation_pwd.encode("utf-8"))
reservation_token = bcrypt.hashpw(
reservation_pwd.encode("utf-8"),
pwd_bytes,
reservation.reservation_token_salt.encode("utf-8"),
)
# check the passed in value/hash against the calculated hash.
checkpw = bcrypt.checkpw(reservation_pwd.encode("utf-8"), reservation_token)
checkpw = bcrypt.checkpw(pwd_bytes, reservation_token)
self._logger.debug(
f"bcrypt.checkpw(reservation_pwd.encode('utf-8'), reservation_token) = {checkpw}"
)

# check the passed in value against the saved hash
checkpw2 = bcrypt.checkpw(
reservation_pwd.encode("utf-8"),
pwd_bytes,
reservation.reservation_token_hash.encode("utf-8"),
)
self._logger.debug(
Expand Down Expand Up @@ -315,19 +318,20 @@ def check_api_key(self, api_key: str, apiRecord: TenantAuthenticationApiRecord):
return None

# make a hash from passed in value with saved salt...
key_bytes = limit_for_bcrypt(api_key.encode("utf-8"))
key_token = bcrypt.hashpw(
api_key.encode("utf-8"),
key_bytes,
apiRecord.api_key_token_salt.encode("utf-8"),
)
# check the passed in value/hash against the calculated hash.
checkpw = bcrypt.checkpw(api_key.encode("utf-8"), key_token)
checkpw = bcrypt.checkpw(key_bytes, key_token)
self._logger.debug(
f"bcrypt.checkpw(api_key.encode('utf-8'), key_token) = {checkpw}"
)

# check the passed in value against the saved hash
checkpw2 = bcrypt.checkpw(
api_key.encode("utf-8"),
key_bytes,
apiRecord.api_key_token_hash.encode("utf-8"),
)
self._logger.debug(
Expand Down
Loading
Loading