You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by gg...@apache.org on 2017/11/09 00:57:19 UTC
svn commit: r1814680 - in
/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest:
Md5Crypt.java Sha2Crypt.java
Author: ggregory
Date: Thu Nov 9 00:57:19 2017
New Revision: 1814680
URL: http://svn.apache.org/viewvc?rev=1814680&view=rev
Log:
Update Javadocs to mention generating salts with ThreadLocalRandom internally and suggest using SecureRandom.
Modified:
commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java
commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java
Modified: commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java?rev=1814680&r1=1814679&r2=1814680&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java (original)
+++ commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java Thu Nov 9 00:57:19 2017
@@ -17,7 +17,9 @@
package org.apache.commons.codec.digest;
import java.security.MessageDigest;
+import java.security.SecureRandom;
import java.util.Arrays;
+import java.util.concurrent.ThreadLocalRandom;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -60,13 +62,16 @@ public class Md5Crypt {
private static final int ROUNDS = 1000;
/**
- * See {@link #apr1Crypt(String, String)} for details.
- *
- * @param keyBytes
- * plaintext string to hash.
+ * See {@link #apr1Crypt(byte[], String)} for details.
+ * <p>
+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts and calling {@link #apr1Crypt(byte[], String)}.
+ * </p>
+ *
+ * @param keyBytes plaintext string to hash.
* @return the hash value
- * @throws RuntimeException
- * when a {@link java.security.NoSuchAlgorithmException} is caught. *
+ * @throws RuntimeException when a {@link java.security.NoSuchAlgorithmException} is caught. *
+ * @see #apr1Crypt(byte[], String)
*/
public static String apr1Crypt(final byte[] keyBytes) {
return apr1Crypt(keyBytes, APR1_PREFIX + B64.getRandomSalt(8));
@@ -74,10 +79,17 @@ public class Md5Crypt {
/**
* See {@link #apr1Crypt(String, String)} for details.
+ * <p>
+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts.
+ * </p>
*
* @param keyBytes
* plaintext string to hash.
- * @param salt An APR1 salt.
+ * @param salt
+ * An APR1 salt. The salt may be null, in which case a salt is generated for you using
+ * {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to generate your
+ * own salts.
* @return the hash value
* @throws IllegalArgumentException
* if the salt does not match the allowed pattern
@@ -94,12 +106,17 @@ public class Md5Crypt {
/**
* See {@link #apr1Crypt(String, String)} for details.
+ * <p>
+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts and calling {@link #apr1Crypt(byte[], String)}.
+ * </p>
*
* @param keyBytes
* plaintext string to hash.
* @return the hash value
* @throws RuntimeException
* when a {@link java.security.NoSuchAlgorithmException} is caught.
+ * @see #apr1Crypt(byte[], String)
*/
public static String apr1Crypt(final String keyBytes) {
return apr1Crypt(keyBytes.getBytes(Charsets.UTF_8));
@@ -114,8 +131,9 @@ public class Md5Crypt {
* @param keyBytes
* plaintext string to hash.
* @param salt
- * salt string including the prefix and optionally garbage at the end. Will be generated randomly if
- * null.
+ * salt string including the prefix and optionally garbage at the end. The salt may be null, in which
+ * case a salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts.
* @return the hash value
* @throws IllegalArgumentException
* if the salt does not match the allowed pattern
@@ -129,13 +147,18 @@ public class Md5Crypt {
/**
* Generates a libc6 crypt() compatible "$1$" hash value.
* <p>
- * See {@link Crypt#crypt(String, String)} for details.
- *
+ * See {@link #md5Crypt(byte[], String)} for details.
+ *</p>
+ * <p>
+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts and calling {@link #md5Crypt(byte[], String)}.
+ * </p>
* @param keyBytes
* plaintext string to hash.
* @return the hash value
* @throws RuntimeException
* when a {@link java.security.NoSuchAlgorithmException} is caught.
+ * @see #md5Crypt(byte[], String)
*/
public static String md5Crypt(final byte[] keyBytes) {
return md5Crypt(keyBytes, MD5_PREFIX + B64.getRandomSalt(8));
@@ -145,12 +168,14 @@ public class Md5Crypt {
* Generates a libc crypt() compatible "$1$" MD5 based hash value.
* <p>
* See {@link Crypt#crypt(String, String)} for details.
- *
+ * </p>
+ *
* @param keyBytes
* plaintext string to hash.
* @param salt
- * salt string including the prefix and optionally garbage at the end. Will be generated randomly if
- * null.
+ * salt string including the prefix and optionally garbage at the end. The salt may be null, in which
+ * case a salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts.
* @return the hash value
* @throws IllegalArgumentException
* if the salt does not match the allowed pattern
@@ -165,11 +190,16 @@ public class Md5Crypt {
* Generates a libc6 crypt() "$1$" or Apache htpasswd "$apr1$" hash value.
* <p>
* See {@link Crypt#crypt(String, String)} or {@link #apr1Crypt(String, String)} for details.
- *
+ * </p>
+ *
* @param keyBytes
* plaintext string to hash.
- * @param salt May be null.
- * @param prefix salt prefix
+ * @param salt
+ * real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
+ * you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
+ * generate your own salts.
+ * @param prefix
+ * salt prefix
* @return the hash value
* @throws IllegalArgumentException
* if the salt does not match the allowed pattern
Modified: commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java?rev=1814680&r1=1814679&r2=1814680&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java (original)
+++ commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java Thu Nov 9 00:57:19 2017
@@ -18,7 +18,9 @@ package org.apache.commons.codec.digest;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
import java.util.Arrays;
+import java.util.concurrent.ThreadLocalRandom;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -72,7 +74,12 @@ public class Sha2Crypt {
* Generates a libc crypt() compatible "$5$" hash value with random salt.
* <p>
* See {@link Crypt#crypt(String, String)} for details.
- *
+ * </p>
+ * <p>
+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts and calling {@link #sha256Crypt(byte[], String)}.
+ * </p>
+ *
* @param keyBytes
* plaintext to hash
* @return complete hash value
@@ -87,11 +94,13 @@ public class Sha2Crypt {
* Generates a libc6 crypt() compatible "$5$" hash value.
* <p>
* See {@link Crypt#crypt(String, String)} for details.
- *
+ * </p>
* @param keyBytes
* plaintext to hash
* @param salt
- * real salt value without prefix or "rounds="
+ * real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
+ * you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
+ * generate your own salts.
* @return complete hash value including salt
* @throws IllegalArgumentException
* if the salt does not match the allowed pattern
@@ -116,7 +125,7 @@ public class Sha2Crypt {
* @param keyBytes
* plaintext to hash
* @param salt
- * real salt value without prefix or "rounds="
+ * real salt value without prefix or "rounds="; may not be null
* @param saltPrefix
* either $5$ or $6$
* @param blocksize
@@ -510,6 +519,11 @@ public class Sha2Crypt {
* Generates a libc crypt() compatible "$6$" hash value with random salt.
* <p>
* See {@link Crypt#crypt(String, String)} for details.
+ * </p>
+ * <p>
+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts and calling {@link #sha512Crypt(byte[], String)}.
+ * </p>
*
* @param keyBytes
* plaintext to hash
@@ -525,11 +539,13 @@ public class Sha2Crypt {
* Generates a libc6 crypt() compatible "$6$" hash value.
* <p>
* See {@link Crypt#crypt(String, String)} for details.
- *
+ * </p>
* @param keyBytes
* plaintext to hash
* @param salt
- * real salt value without prefix or "rounds="
+ * real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
+ * you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
+ * generate your own salts.
* @return complete hash value including salt
* @throws IllegalArgumentException
* if the salt does not match the allowed pattern