Spring Security Argon2PasswordEncoder Null Pointer Exception

Describe the bug A null pointer exception is thrown from BouncyCastle when trying to use the Argon2Encoder class in the crypto package. This is tested on Java 8 version 1.8.0_201 in IntelliJ Idea Community 2021.1 .

Stack trace:

java.lang.NullPointerException
    at org.bouncycastle.util.Arrays.clone(Unknown Source)
    at org.bouncycastle.crypto.params.Argon2Parameters.<init>(Unknown Source)
    at org.bouncycastle.crypto.params.Argon2Parameters.<init>(Unknown Source)
    at org.bouncycastle.crypto.params.Argon2Parameters$Builder.build(Unknown Source)
    at org.springframework.security.crypto.argon2.Argon2PasswordEncoder.encode(Argon2PasswordEncoder.java:94)

To Reproduce

//Main code
Argon2PasswordEncoder argon2PasswordEncoder = new Argon2PasswordEncoder();
String encoded = argon2PasswordEncoder.encode("Hello");

<!-- in pom.xml for Maven>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-crypto</artifactId>
    <version>5.4.6</version>
</dependency>
<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15on</artifactId>
    <version>1.68</version>
</dependency>

Expected behavior The returned String should be an encoded Argon2 hash.

Sample

(Can create if really necessary?)

Comment From: ross-holloway94

It looks to me that the error comes from the Argon2Parameters class in the Bouncy Castle library. Lines 145 and 146:

 this.secret = Arrays.clone(secret);
 this.additional = Arrays.clone(additional);

Argon2PasswordEncoder does not build these arguments, so they are null when they reach this point. However, I could not find good documentation for Bouncy Castle so I'm not certain of their purpose.

Comment From: ross-holloway94

Apologies, this was a Maven dependency resolution problem.

Comment From: btounkara

Hi @lilbigmouth, i'm encountering the same problem, can you tell me how you managed to solve it please ?

Comment From: ross-holloway94

Hi @btounkara ,

If I remember this correctly, it was either the incorrect bouncy castle dependency, or there was a dependency conflict in Maven (transitive dependency). I think it was the latter.

Comment From: btounkara

Thank you for your quick answering , i'll check that

Comment From: btounkara

It was indeed a transitive dependency thank you.

I had to exclude some dependencies with bouncycastle jdk14 (cf this link)