You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by gg...@apache.org on 2017/11/09 01:00:27 UTC
svn commit: r1814682 - /commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java

Author: ggregory
Date: Thu Nov  9 01:00:27 2017
New Revision: 1814682

URL: http://svn.apache.org/viewvc?rev=1814682&view=rev
Log:
Update Javadocs to mention generating salts with ThreadLocalRandom internally and suggest using SecureRandom.

Modified:
    commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java

Modified: commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java?rev=1814682&r1=1814681&r2=1814682&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java (original)
+++ commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java Thu Nov  9 01:00:27 2017
@@ -16,6 +16,9 @@
  */
 package org.apache.commons.codec.digest;
 
+import java.security.SecureRandom;
+import java.util.concurrent.ThreadLocalRandom;
+
 import org.apache.commons.codec.Charsets;
 
 /**
@@ -35,7 +38,12 @@ public class Crypt {
      * <p>
      * A random salt and the default algorithm (currently SHA-512) are used. See {@link #crypt(String, String)} for
      * details.
-     *
+     * </p>
+     * <p>
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #crypt(byte[], String)}.
+     * </p>
+     * 
      * @param keyBytes
      *            plaintext password
      * @return hash value
@@ -55,7 +63,9 @@ public class Crypt {
      * @param keyBytes
      *            plaintext password
      * @param salt
-     *            salt value
+     *            real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
+     *            you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
+     *            generate your own salts.
      * @return hash value
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern
@@ -80,7 +90,12 @@ public class Crypt {
      * Calculates the digest using the strongest crypt(3) algorithm.
      * <p>
      * A random salt and the default algorithm (currently SHA-512) are used.
-     *
+     * </p>
+     * <p>
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #crypt(String, String)}.
+     * </p>
+     * 
      * @see #crypt(String, String)
      * @param key
      *            plaintext password
@@ -140,7 +155,9 @@ public class Crypt {
      * @param key
      *            plaintext password as entered by the used
      * @param salt
-     *            salt value
+     *            real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
+     *            you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
+     *            generate your own salts.
      * @return hash value, i.e. encrypted password including the salt string
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern