SCryptPasswordEncoder Key Length Issue

[ebarlas]

Summary

During the matches operation, SCryptPasswordEncoder retains the instance keyLength rather than the target digest keyLength. It makes it very difficult to verify non-homogenous digests with different key lengths.

Why is that? A security consideration?

Actual Behavior

SCryptPasswordEncoder matches operation fails if instance keyLength differs from target digest key length.

Expected Behavior

SCryptPasswordEncoder matches operation ought to use the target digest key length.

Configuration

SCryptPasswordEncoder instance keyLength differs from target digest key length.

Version

4.2.3.RELEASE

Sample

Simple example prints true

SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(encoder.matches(raw, digest));

Instance parameters differ from digest parameters, except key length - prints true

SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
SCryptPasswordEncoder tester = new SCryptPasswordEncoder(1024, 8, 1, 32, 24);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(tester.matches(raw, digest));

Only the key length differs - prints false

SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
SCryptPasswordEncoder tester = new SCryptPasswordEncoder(8192, 16, 1, 24, 32);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(tester.matches(raw, digest));