You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by ta...@apache.org on 2021/01/25 09:41:58 UTC

[myfaces] branch 2.3-next updated: MYFACES-4376 Update Cryptographic algorithm in StateUtils to a stronger version

This is an automated email from the ASF dual-hosted git repository.

tandraschko pushed a commit to branch 2.3-next
in repository https://gitbox.apache.org/repos/asf/myfaces.git


The following commit(s) were added to refs/heads/2.3-next by this push:
     new 0d5ea54  MYFACES-4376 Update Cryptographic algorithm in StateUtils to a stronger version
     new ff3ba78  Merge pull request #160 from bohmber/2.3-next-MYFACES-4376
0d5ea54 is described below

commit 0d5ea54b4530de4c7478d2c9cb792e6883ccd99a
Author: Bernd Bohmann <bo...@apache.org>
AuthorDate: Tue Jan 19 12:51:35 2021 +0100

    MYFACES-4376
    Update Cryptographic algorithm in StateUtils to a stronger version
    
    (cherry picked from commit 65a0043c5a89b4375496aa295407d8956512e711)
---
 .../myfaces/application/viewstate/StateUtils.java  | 23 ++++++++++++----------
 .../viewstate/CachedStateUtilsDefaultTest.java     |  2 +-
 .../viewstate/StateUtilsDefaultTest.java           |  2 +-
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/impl/src/main/java/org/apache/myfaces/application/viewstate/StateUtils.java b/impl/src/main/java/org/apache/myfaces/application/viewstate/StateUtils.java
index b92df73..707e83b 100644
--- a/impl/src/main/java/org/apache/myfaces/application/viewstate/StateUtils.java
+++ b/impl/src/main/java/org/apache/myfaces/application/viewstate/StateUtils.java
@@ -53,10 +53,10 @@ import org.apache.myfaces.spi.SerialFactory;
  * <li>ISO-8859-1 is the character set used.</li>
  * <li>GZIP is used for all compression/decompression.</li>
  * <li>Base64 is used for all encoding and decoding.</li>
- * <li>DES is the default encryption algorithm</li>
+ * <li>AES is the default encryption algorithm</li>
  * <li>ECB is the default mode</li>
  * <li>PKCS5Padding is the default padding</li>
- * <li>HmacSHA1 is the default MAC algorithm</li>
+ * <li>HmacSHA256 is the default MAC algorithm</li>
  * <li>The default algorithm can be overridden using the
  * <i>org.apache.myfaces.ALGORITHM</i> parameter</li>
  * <li>The default mode and padding can be overridden using the
@@ -68,7 +68,7 @@ import org.apache.myfaces.spi.SerialFactory;
  * <i>org.apache.myfaces.MAC_ALGORITHM</i> parameter</li>
  * </ul>
  *
- * <p>The secret is interpretted as base 64 encoded.  In other
+ * <p>The secret is interpreted as base 64 encoded.  In other
  * words, if your secret is "76543210", you would put "NzY1NDMyMTA=" in
  * the deployment descriptor.  This is needed so that key values are not
  * limited to just values composed of printable characters.</p>
@@ -79,7 +79,10 @@ import org.apache.myfaces.spi.SerialFactory;
  * <p>If you are using the AES algorithm and getting a SecurityException
  * complaining about keysize, you most likely need to get the unlimited
  * strength jurisdiction policy files from a place like
- * http://java.sun.com/j2se/1.4.2/download.html .</p>
+ * http://java.sun.com/j2se/1.4.2/download.html .</br>
+ * Since https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8170157
+ * unlimited cryptographic policy is enabled by default.</p>
+ *
  *
  * See org.apache.myfaces.webapp.StartupServletContextListener
  */
@@ -89,7 +92,7 @@ public final class StateUtils
 
     public static final String ZIP_CHARSET = "ISO-8859-1";
 
-    public static final String DEFAULT_ALGORITHM = "DES";
+    public static final String DEFAULT_ALGORITHM = "AES";
     public static final String DEFAULT_ALGORITHM_PARAMS = "ECB/PKCS5Padding";
 
     public static final String INIT_PREFIX = "org.apache.myfaces.";
@@ -114,7 +117,7 @@ public final class StateUtils
      * Indicate the encryption algorithm used for encrypt the view state.
      */
     @JSFWebConfigParam(name="org.apache.myfaces.ALGORITHM",since="1.1",
-            defaultValue="DES",group="state",tags="performance")
+            defaultValue="AES",group="state",tags="performance")
     public static final String INIT_ALGORITHM = INIT_PREFIX + "ALGORITHM";
 
     /**
@@ -152,13 +155,13 @@ public final class StateUtils
             expectedValues="true,false",group="state",tags="performance")
     public static final String COMPRESS_STATE_IN_CLIENT = INIT_PREFIX + "COMPRESS_STATE_IN_CLIENT";
 
-    public static final String DEFAULT_MAC_ALGORITHM = "HmacSHA1";
+    public static final String DEFAULT_MAC_ALGORITHM = "HmacSHA256";
 
     /**
      * Indicate the algorithm used to calculate the Message Authentication Code that is
      * added to the view state.
      */
-    @JSFWebConfigParam(name="org.apache.myfaces.MAC_ALGORITHM",defaultValue="HmacSHA1",
+    @JSFWebConfigParam(name="org.apache.myfaces.MAC_ALGORITHM",defaultValue="HmacSHA256",
             group="state",tags="performance")
     public static final String INIT_MAC_ALGORITHM = "org.apache.myfaces.MAC_ALGORITHM";
     
@@ -673,8 +676,8 @@ public final class StateUtils
             }
             catch (NoSuchAlgorithmException e)
             {
-                // Generate random password length 8, 
-                int length = 8;
+                // Generate random password length 16,
+                int length = 16;
                 bytes = new byte[length];
                 new Random().nextBytes(bytes);
                 
diff --git a/impl/src/test/java/org/apache/myfaces/application/viewstate/CachedStateUtilsDefaultTest.java b/impl/src/test/java/org/apache/myfaces/application/viewstate/CachedStateUtilsDefaultTest.java
index c1f02c6..d6eab0a 100644
--- a/impl/src/test/java/org/apache/myfaces/application/viewstate/CachedStateUtilsDefaultTest.java
+++ b/impl/src/test/java/org/apache/myfaces/application/viewstate/CachedStateUtilsDefaultTest.java
@@ -29,7 +29,7 @@ public class CachedStateUtilsDefaultTest extends AbstractStateUtilsTest
     {
         super.setUp();
 
-        servletContext.addInitParameter(StateUtils.INIT_SECRET, BASE64_KEY_SIZE_8);
+        servletContext.addInitParameter(StateUtils.INIT_SECRET, BASE64_KEY_SIZE_16);
         servletContext.addInitParameter(StateUtils.INIT_ALGORITHM, StateUtils.DEFAULT_ALGORITHM);
         servletContext.addInitParameter(StateUtils.INIT_ALGORITHM_PARAM, StateUtils.DEFAULT_ALGORITHM_PARAMS);
         servletContext.addInitParameter(StateUtils.INIT_MAC_SECRET, BASE64_KEY_SIZE_8);
diff --git a/impl/src/test/java/org/apache/myfaces/application/viewstate/StateUtilsDefaultTest.java b/impl/src/test/java/org/apache/myfaces/application/viewstate/StateUtilsDefaultTest.java
index 07f4be5..dc3615b 100644
--- a/impl/src/test/java/org/apache/myfaces/application/viewstate/StateUtilsDefaultTest.java
+++ b/impl/src/test/java/org/apache/myfaces/application/viewstate/StateUtilsDefaultTest.java
@@ -28,7 +28,7 @@ public class StateUtilsDefaultTest extends AbstractStateUtilsTest
     {
         super.setUp();
 
-        servletContext.addInitParameter(StateUtils.INIT_SECRET, BASE64_KEY_SIZE_8);
+        servletContext.addInitParameter(StateUtils.INIT_SECRET, BASE64_KEY_SIZE_16);
         servletContext.addInitParameter(StateUtils.INIT_ALGORITHM, StateUtils.DEFAULT_ALGORITHM);
         servletContext.addInitParameter(StateUtils.INIT_ALGORITHM_PARAM, StateUtils.DEFAULT_ALGORITHM_PARAMS);
         servletContext.addInitParameter(StateUtils.INIT_SECRET_KEY_CACHE, "false");