You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by bo...@apache.org on 2021/01/24 16:12:23 UTC

[myfaces] branch 3.0.x updated: MYFACES-4376 Update Cryptographic algorithm in StateUtils to a stronger version

This is an automated email from the ASF dual-hosted git repository.

bommel pushed a commit to branch 3.0.x
in repository https://gitbox.apache.org/repos/asf/myfaces.git


The following commit(s) were added to refs/heads/3.0.x by this push:
     new cf0d481  MYFACES-4376 Update Cryptographic algorithm in StateUtils to a stronger version
     new 3ae7acd  Merge pull request #159 from bohmber/3.0.x-MYFACES-4376
cf0d481 is described below

commit cf0d48132bb7a9e990282987ce69495eb733a8e6
Author: Bernd Bohmann <bo...@apache.org>
AuthorDate: Tue Jan 19 12:51:35 2021 +0100

    MYFACES-4376
    Update Cryptographic algorithm in StateUtils to a stronger version
    
    (cherry picked from commit 65a0043c5a89b4375496aa295407d8956512e711)
---
 .../org/apache/myfaces/shared/util/StateUtils.java | 23 ++++++++++++----------
 .../shared/util/CachedStateUtilsDefaultTest.java   |  2 +-
 .../myfaces/shared/util/StateUtilsDefaultTest.java |  2 +-
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/shared/src/main/java/org/apache/myfaces/shared/util/StateUtils.java b/shared/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
index 326dec4..c5c878e 100644
--- a/shared/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
+++ b/shared/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
@@ -57,10 +57,10 @@ import org.apache.myfaces.shared.util.serial.SerialFactory;
  * <li>ISO-8859-1 is the character set used.</li>
  * <li>GZIP is used for all compression/decompression.</li>
  * <li>Base64 is used for all encoding and decoding.</li>
- * <li>DES is the default encryption algorithm</li>
+ * <li>AES is the default encryption algorithm</li>
  * <li>ECB is the default mode</li>
  * <li>PKCS5Padding is the default padding</li>
- * <li>HmacSHA1 is the default MAC algorithm</li>
+ * <li>HmacSHA256 is the default MAC algorithm</li>
  * <li>The default algorithm can be overridden using the
  * <i>org.apache.myfaces.ALGORITHM</i> parameter</li>
  * <li>The default mode and padding can be overridden using the
@@ -72,7 +72,7 @@ import org.apache.myfaces.shared.util.serial.SerialFactory;
  * <i>org.apache.myfaces.MAC_ALGORITHM</i> parameter</li>
  * </ul>
  *
- * <p>The secret is interpretted as base 64 encoded.  In other
+ * <p>The secret is interpreted as base 64 encoded.  In other
  * words, if your secret is "76543210", you would put "NzY1NDMyMTA=" in
  * the deployment descriptor.  This is needed so that key values are not
  * limited to just values composed of printable characters.</p>
@@ -83,7 +83,10 @@ import org.apache.myfaces.shared.util.serial.SerialFactory;
  * <p>If you are using the AES algorithm and getting a SecurityException
  * complaining about keysize, you most likely need to get the unlimited
  * strength jurisdiction policy files from a place like
- * http://java.sun.com/j2se/1.4.2/download.html .</p>
+ * http://java.sun.com/j2se/1.4.2/download.html .</br>
+ * Since https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8170157
+ * unlimited cryptographic policy is enabled by default.</p>
+ *
  *
  * See org.apache.myfaces.webapp.StartupServletContextListener
  */
@@ -95,7 +98,7 @@ public final class StateUtils
 
     public static final String ZIP_CHARSET = "ISO-8859-1";
 
-    public static final String DEFAULT_ALGORITHM = "DES";
+    public static final String DEFAULT_ALGORITHM = "AES";
     public static final String DEFAULT_ALGORITHM_PARAMS = "ECB/PKCS5Padding";
 
     public static final String INIT_PREFIX = "org.apache.myfaces.";
@@ -120,7 +123,7 @@ public final class StateUtils
      * Indicate the encryption algorithm used for encrypt the view state.
      */
     @JSFWebConfigParam(name="org.apache.myfaces.ALGORITHM",since="1.1",
-            defaultValue="DES",group="state",tags="performance")
+            defaultValue="AES",group="state",tags="performance")
     public static final String INIT_ALGORITHM = INIT_PREFIX + "ALGORITHM";
 
     /**
@@ -158,13 +161,13 @@ public final class StateUtils
             expectedValues="true,false",group="state",tags="performance")
     public static final String COMPRESS_STATE_IN_CLIENT = INIT_PREFIX + "COMPRESS_STATE_IN_CLIENT";
 
-    public static final String DEFAULT_MAC_ALGORITHM = "HmacSHA1";
+    public static final String DEFAULT_MAC_ALGORITHM = "HmacSHA256";
 
     /**
      * Indicate the algorithm used to calculate the Message Authentication Code that is
      * added to the view state.
      */
-    @JSFWebConfigParam(name="org.apache.myfaces.MAC_ALGORITHM",defaultValue="HmacSHA1",
+    @JSFWebConfigParam(name="org.apache.myfaces.MAC_ALGORITHM",defaultValue="HmacSHA256",
             group="state",tags="performance")
     public static final String INIT_MAC_ALGORITHM = "org.apache.myfaces.MAC_ALGORITHM";
     
@@ -893,8 +896,8 @@ public final class StateUtils
             }
             catch (NoSuchAlgorithmException e)
             {
-                // Generate random password length 8, 
-                int length = 8;
+                // Generate random password length 16,
+                int length = 16;
                 bytes = new byte[length];
                 new Random().nextBytes(bytes);
                 
diff --git a/shared/src/test/java/org/apache/myfaces/shared/util/CachedStateUtilsDefaultTest.java b/shared/src/test/java/org/apache/myfaces/shared/util/CachedStateUtilsDefaultTest.java
index 7312051..f27e2ef 100644
--- a/shared/src/test/java/org/apache/myfaces/shared/util/CachedStateUtilsDefaultTest.java
+++ b/shared/src/test/java/org/apache/myfaces/shared/util/CachedStateUtilsDefaultTest.java
@@ -39,7 +39,7 @@ public class CachedStateUtilsDefaultTest extends AbstractStateUtilsTest
     {
         super.setUp();
 
-        servletContext.addInitParameter(StateUtils.INIT_SECRET, BASE64_KEY_SIZE_8);
+        servletContext.addInitParameter(StateUtils.INIT_SECRET, BASE64_KEY_SIZE_16);
         servletContext.addInitParameter(StateUtils.INIT_ALGORITHM, StateUtils.DEFAULT_ALGORITHM);
         servletContext.addInitParameter(StateUtils.INIT_ALGORITHM_PARAM, StateUtils.DEFAULT_ALGORITHM_PARAMS);
         servletContext.addInitParameter(StateUtils.INIT_MAC_SECRET, BASE64_KEY_SIZE_8);
diff --git a/shared/src/test/java/org/apache/myfaces/shared/util/StateUtilsDefaultTest.java b/shared/src/test/java/org/apache/myfaces/shared/util/StateUtilsDefaultTest.java
index 19d0e48..0f8cc1a 100644
--- a/shared/src/test/java/org/apache/myfaces/shared/util/StateUtilsDefaultTest.java
+++ b/shared/src/test/java/org/apache/myfaces/shared/util/StateUtilsDefaultTest.java
@@ -38,7 +38,7 @@ public class StateUtilsDefaultTest extends AbstractStateUtilsTest
     {
         super.setUp();
 
-        servletContext.addInitParameter(StateUtils.INIT_SECRET, BASE64_KEY_SIZE_8);
+        servletContext.addInitParameter(StateUtils.INIT_SECRET, BASE64_KEY_SIZE_16);
         servletContext.addInitParameter(StateUtils.INIT_ALGORITHM, StateUtils.DEFAULT_ALGORITHM);
         servletContext.addInitParameter(StateUtils.INIT_ALGORITHM_PARAM, StateUtils.DEFAULT_ALGORITHM_PARAMS);
         servletContext.addInitParameter(StateUtils.INIT_SECRET_KEY_CACHE, "false");