You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by gg...@apache.org on 2017/11/09 01:00:27 UTC
svn commit: r1814682 -
/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java
Author: ggregory
Date: Thu Nov 9 01:00:27 2017
New Revision: 1814682
URL: http://svn.apache.org/viewvc?rev=1814682&view=rev
Log:
Update Javadocs to mention generating salts with ThreadLocalRandom internally and suggest using SecureRandom.
Modified:
commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java
Modified: commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java?rev=1814682&r1=1814681&r2=1814682&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java (original)
+++ commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Crypt.java Thu Nov 9 01:00:27 2017
@@ -16,6 +16,9 @@
*/
package org.apache.commons.codec.digest;
+import java.security.SecureRandom;
+import java.util.concurrent.ThreadLocalRandom;
+
import org.apache.commons.codec.Charsets;
/**
@@ -35,7 +38,12 @@ public class Crypt {
* <p>
* A random salt and the default algorithm (currently SHA-512) are used. See {@link #crypt(String, String)} for
* details.
- *
+ * </p>
+ * <p>
+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts and calling {@link #crypt(byte[], String)}.
+ * </p>
+ *
* @param keyBytes
* plaintext password
* @return hash value
@@ -55,7 +63,9 @@ public class Crypt {
* @param keyBytes
* plaintext password
* @param salt
- * salt value
+ * real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
+ * you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
+ * generate your own salts.
* @return hash value
* @throws IllegalArgumentException
* if the salt does not match the allowed pattern
@@ -80,7 +90,12 @@ public class Crypt {
* Calculates the digest using the strongest crypt(3) algorithm.
* <p>
* A random salt and the default algorithm (currently SHA-512) are used.
- *
+ * </p>
+ * <p>
+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
+ * {@link SecureRandom} to generate your own salts and calling {@link #crypt(String, String)}.
+ * </p>
+ *
* @see #crypt(String, String)
* @param key
* plaintext password
@@ -140,7 +155,9 @@ public class Crypt {
* @param key
* plaintext password as entered by the used
* @param salt
- * salt value
+ * real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
+ * you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
+ * generate your own salts.
* @return hash value, i.e. encrypted password including the salt string
* @throws IllegalArgumentException
* if the salt does not match the allowed pattern