Why do these PHP and Java password generators produce different output? [duplicate]

Question

I' m writting a password generator for a script in PHP and I want it to be compatible with a class I wrote in Java, so that they can share resources.

PHP code:

public function PasswordGen($password, $rounds) { 
    for($i = 0; $i < $rounds; $i++) { 
        $password = substr(base64_encode(md5($password)), 0, 16); 
        echo $i . " " . $password . PHP_EOL; // debugging //
    }
    return $password;
}

Java code:

public static String PasswordGen(String password, int rounds) {
    try { 
        for(int i = 0; i < rounds; i++) { 
            byte[] md5 = MessageDigest.getInstance("MD5").digest(password.getBytes("UTF-8"));
            String md5h = (new BigInteger(1, md5)).toString(16);
            password = Base64.getEncoder().encodeToString(md5h.getBytes()).substring(0, 16);
            System.out.println(Integer.toString(i) + " " + password); // debugging //
        }
    } catch(Exception ex) {
        ex.printStackTrace();
        return null;
    }
    return password;
}

PHP debug output:

0 MWExZGM5MWM5MDcz  
1 NDVkZmMxNWVjNWZi  
2 ODY5YzVkODBhNTRh  
3 ZGE2OTNiOWMxOWM1  
4 OTcxMTY3MzgxMmRk  
5 NWNjNDI2N2IzMDlj  
6 NGVkYzY0YjVkMWUy  
7 MjdhMGU4NjhhNmU3  
8 OWY5OGE3ZGZiODZl  
9 Y2I1ZjBkNjRmMjkx  
10 YTk5NDA1MGI1OWY1  
11 YzRmYWE5ZTk0ZDdl  
12 NDBiZWZkNmQ5Yjhj  
13 MzQyNzcwNGRjMTYw  
14 N2U4ZmUxOGMyNWYx  
15 MjBjOTZhNGE4ZDQ1  
16 MjdmMzkwMzI0NDdj  
17 YjM4NDI0YWU0YzUw  
18 NDRiNjA1MWUwOGZi  
19 MGI1YmIyMDViMGYz  

Java debug output:

0 MWExZGM5MWM5MDcz  
1 NDVkZmMxNWVjNWZi  
2 ODY5YzVkODBhNTRh  
3 ZGE2OTNiOWMxOWM1  
4 OTcxMTY3MzgxMmRk  
5 NWNjNDI2N2IzMDlj  
6 NGVkYzY0YjVkMWUy  
7 MjdhMGU4NjhhNmU3  
8 OWY5OGE3ZGZiODZl  
9 Y2I1ZjBkNjRmMjkx  
10 YTk5NDA1MGI1OWY1  
11 YzRmYWE5ZTk0ZDdl  
12 NDBiZWZkNmQ5Yjhj  
13 MzQyNzcwNGRjMTYw  
14 N2U4ZmUxOGMyNWYx  
15 MjBjOTZhNGE4ZDQ1  
16 MjdmMzkwMzI0NDdj  
17 YjM4NDI0YWU0YzUw  
18 NDRiNjA1MWUwOGZi  
19 YjViYjIwNWIwZjMy  

It works as expected until the 19th loop. Why does it produce different output after that?

Answer 1

In Java, converting a BigDecimal to a hexadecimal String with the toString(int base) method doesn't output leading zeros.

You can discover this by printing the output of the intermediate step (converting the md5 hashcode to an hexadecimal string) - in Java that gives b5bb205b0f32a7bf2a80fc870cbd2b7 while in PHP it gives 0b5bb205b0f32a7bf2a80fc870cbd2b7. It's only a difference of one leading zero, but after applying the base64 encoding, they look very different.

An easier way to get leading zeros is to use the String.format method.

Replace this line:

String md5h = ( new BigInteger(1, md5) ).toString(16);

with this line:

String md5h = String.format("%032x", new BigInteger(1, md5));

and you'll get the same output as with your php code.