commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ggreg...@apache.org
Subject svn commit: r1814679 - /commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/UnixCrypt.java
Date Thu, 09 Nov 2017 00:55:40 GMT
Author: ggregory
Date: Thu Nov  9 00:55:40 2017
New Revision: 1814679

URL: http://svn.apache.org/viewvc?rev=1814679&view=rev
Log:
Use ThreadLocalRandom instead of Random and update Javadocs for all public APIs in this UnixCrypt.

Modified:
    commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/UnixCrypt.java

Modified: commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/UnixCrypt.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/UnixCrypt.java?rev=1814679&r1=1814678&r2=1814679&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/UnixCrypt.java
(original)
+++ commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/UnixCrypt.java
Thu Nov  9 00:55:40 2017
@@ -16,7 +16,8 @@
  */
 package org.apache.commons.codec.digest;
 
-import java.util.Random;
+import java.security.SecureRandom;
+import java.util.concurrent.ThreadLocalRandom;
 
 import org.apache.commons.codec.Charsets;
 
@@ -172,7 +173,9 @@ public class UnixCrypt {
     /**
      * Generates a crypt(3) compatible hash using the DES algorithm.
      * <p>
-     * As no salt is given, a random one will be used.
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #crypt(byte[],
String)}.
+     * </p>
      *
      * @param original
      *            plaintext password
@@ -186,18 +189,21 @@ public class UnixCrypt {
      * Generates a crypt(3) compatible hash using the DES algorithm.
      * <p>
      * Using unspecified characters as salt results incompatible hash values.
-     *
+     * </p>
+     * 
      * @param original
      *            plaintext password
      * @param salt
-     *            a two character string drawn from [a-zA-Z0-9./] or null for a random one
+     *            a two character string drawn from [a-zA-Z0-9./]. The salt may be null,
in which case a salt is
+     *            generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     *            {@link SecureRandom} to generate your own salts.
      * @return a 13 character string starting with the salt string
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern
      */
     public static String crypt(final byte[] original, String salt) {
         if (salt == null) {
-            final Random randomGenerator = new Random();
+            final ThreadLocalRandom randomGenerator = ThreadLocalRandom.current();
             final int numSaltChars = SALT_CHARS.length;
             salt = "" + SALT_CHARS[randomGenerator.nextInt(numSaltChars)] +
                     SALT_CHARS[randomGenerator.nextInt(numSaltChars)];
@@ -253,7 +259,9 @@ public class UnixCrypt {
     /**
      * Generates a crypt(3) compatible hash using the DES algorithm.
      * <p>
-     * As no salt is given, a random one is used.
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #crypt(String,
String)}.
+     * </p>
      *
      * @param original
      *            plaintext password
@@ -269,7 +277,9 @@ public class UnixCrypt {
      * @param original
      *            plaintext password
      * @param salt
-     *            a two character string drawn from [a-zA-Z0-9./] or null for a random one
+     *            a two character string drawn from [a-zA-Z0-9./]. The salt may be null,
in which case a salt is
+     *            generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     *            {@link SecureRandom} to generate your own salts.
      * @return a 13 character string starting with the salt string
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern



Mime
View raw message