commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ggreg...@apache.org
Subject svn commit: r1814680 - in /commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest: Md5Crypt.java Sha2Crypt.java
Date Thu, 09 Nov 2017 00:57:19 GMT
Author: ggregory
Date: Thu Nov  9 00:57:19 2017
New Revision: 1814680

URL: http://svn.apache.org/viewvc?rev=1814680&view=rev
Log:
Update Javadocs to mention generating salts with ThreadLocalRandom internally and suggest
using SecureRandom.

Modified:
    commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java
    commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java

Modified: commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java?rev=1814680&r1=1814679&r2=1814680&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java
(original)
+++ commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Md5Crypt.java
Thu Nov  9 00:57:19 2017
@@ -17,7 +17,9 @@
 package org.apache.commons.codec.digest;
 
 import java.security.MessageDigest;
+import java.security.SecureRandom;
 import java.util.Arrays;
+import java.util.concurrent.ThreadLocalRandom;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -60,13 +62,16 @@ public class Md5Crypt {
     private static final int ROUNDS = 1000;
 
     /**
-     * See {@link #apr1Crypt(String, String)} for details.
-     *
-     * @param keyBytes
-     *            plaintext string to hash.
+     * See {@link #apr1Crypt(byte[], String)} for details.
+     * <p>
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #apr1Crypt(byte[],
String)}.
+     * </p>
+     * 
+     * @param keyBytes plaintext string to hash.
      * @return the hash value
-     * @throws RuntimeException
-     *             when a {@link java.security.NoSuchAlgorithmException} is caught. *
+     * @throws RuntimeException when a {@link java.security.NoSuchAlgorithmException} is
caught. *
+     * @see #apr1Crypt(byte[], String)
      */
     public static String apr1Crypt(final byte[] keyBytes) {
         return apr1Crypt(keyBytes, APR1_PREFIX + B64.getRandomSalt(8));
@@ -74,10 +79,17 @@ public class Md5Crypt {
 
     /**
      * See {@link #apr1Crypt(String, String)} for details.
+     * <p>
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     * {@link SecureRandom} to generate your own salts.
+     * </p>
      *
      * @param keyBytes
      *            plaintext string to hash.
-     * @param salt An APR1 salt.
+     * @param salt
+     *            An APR1 salt. The salt may be null, in which case a salt is generated for
you using
+     *            {@link ThreadLocalRandom}; for more secure salts consider using {@link
SecureRandom} to generate your
+     *            own salts.
      * @return the hash value
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern
@@ -94,12 +106,17 @@ public class Md5Crypt {
 
     /**
      * See {@link #apr1Crypt(String, String)} for details.
+     * <p>
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #apr1Crypt(byte[],
String)}.
+     * </p>
      *
      * @param keyBytes
      *            plaintext string to hash.
      * @return the hash value
      * @throws RuntimeException
      *             when a {@link java.security.NoSuchAlgorithmException} is caught.
+     * @see #apr1Crypt(byte[], String)
      */
     public static String apr1Crypt(final String keyBytes) {
         return apr1Crypt(keyBytes.getBytes(Charsets.UTF_8));
@@ -114,8 +131,9 @@ public class Md5Crypt {
      * @param keyBytes
      *            plaintext string to hash.
      * @param salt
-     *            salt string including the prefix and optionally garbage at the end. Will
be generated randomly if
-     *            null.
+     *            salt string including the prefix and optionally garbage at the end. The
salt may be null, in which
+     *            case a salt is generated for you using {@link ThreadLocalRandom}; for more
secure salts consider using
+     *            {@link SecureRandom} to generate your own salts.
      * @return the hash value
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern
@@ -129,13 +147,18 @@ public class Md5Crypt {
     /**
      * Generates a libc6 crypt() compatible "$1$" hash value.
      * <p>
-     * See {@link Crypt#crypt(String, String)} for details.
-     *
+     * See {@link #md5Crypt(byte[], String)} for details.
+     *</p>
+     * <p>
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #md5Crypt(byte[],
String)}.
+     * </p>
      * @param keyBytes
      *            plaintext string to hash.
      * @return the hash value
      * @throws RuntimeException
      *             when a {@link java.security.NoSuchAlgorithmException} is caught.
+     * @see #md5Crypt(byte[], String)
      */
     public static String md5Crypt(final byte[] keyBytes) {
         return md5Crypt(keyBytes, MD5_PREFIX + B64.getRandomSalt(8));
@@ -145,12 +168,14 @@ public class Md5Crypt {
      * Generates a libc crypt() compatible "$1$" MD5 based hash value.
      * <p>
      * See {@link Crypt#crypt(String, String)} for details.
-     *
+     * </p>
+     * 
      * @param keyBytes
      *            plaintext string to hash.
      * @param salt
-     *            salt string including the prefix and optionally garbage at the end. Will
be generated randomly if
-     *            null.
+     *            salt string including the prefix and optionally garbage at the end. The
salt may be null, in which
+     *            case a salt is generated for you using {@link ThreadLocalRandom}; for more
secure salts consider using
+     *            {@link SecureRandom} to generate your own salts.
      * @return the hash value
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern
@@ -165,11 +190,16 @@ public class Md5Crypt {
      * Generates a libc6 crypt() "$1$" or Apache htpasswd "$apr1$" hash value.
      * <p>
      * See {@link Crypt#crypt(String, String)} or {@link #apr1Crypt(String, String)} for
details.
-     *
+     * </p>
+     * 
      * @param keyBytes
      *            plaintext string to hash.
-     * @param salt May be null.
-     * @param prefix salt prefix
+     * @param salt
+     *            real salt value without prefix or "rounds=". The salt may be null, in which
case a salt is generated for
+     *            you using {@link ThreadLocalRandom}; for more secure salts consider using
{@link SecureRandom} to
+     *            generate your own salts.
+     * @param prefix
+     *            salt prefix
      * @return the hash value
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern

Modified: commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java?rev=1814680&r1=1814679&r2=1814680&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java
(original)
+++ commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java
Thu Nov  9 00:57:19 2017
@@ -18,7 +18,9 @@ package org.apache.commons.codec.digest;
 
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Arrays;
+import java.util.concurrent.ThreadLocalRandom;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -72,7 +74,12 @@ public class Sha2Crypt {
      * Generates a libc crypt() compatible "$5$" hash value with random salt.
      * <p>
      * See {@link Crypt#crypt(String, String)} for details.
-     *
+     * </p>
+     * <p>
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #sha256Crypt(byte[],
String)}.
+     * </p>
+     * 
      * @param keyBytes
      *            plaintext to hash
      * @return complete hash value
@@ -87,11 +94,13 @@ public class Sha2Crypt {
      * Generates a libc6 crypt() compatible "$5$" hash value.
      * <p>
      * See {@link Crypt#crypt(String, String)} for details.
-     *
+     * </p>
      * @param keyBytes
      *            plaintext to hash
      * @param salt
-     *            real salt value without prefix or "rounds="
+     *            real salt value without prefix or "rounds=". The salt may be null, in which
case a salt is generated for
+     *            you using {@link ThreadLocalRandom}; for more secure salts consider using
{@link SecureRandom} to
+     *            generate your own salts.
      * @return complete hash value including salt
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern
@@ -116,7 +125,7 @@ public class Sha2Crypt {
      * @param keyBytes
      *            plaintext to hash
      * @param salt
-     *            real salt value without prefix or "rounds="
+     *            real salt value without prefix or "rounds="; may not be null
      * @param saltPrefix
      *            either $5$ or $6$
      * @param blocksize
@@ -510,6 +519,11 @@ public class Sha2Crypt {
      * Generates a libc crypt() compatible "$6$" hash value with random salt.
      * <p>
      * See {@link Crypt#crypt(String, String)} for details.
+     * </p>
+     * <p>
+     * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts
consider using
+     * {@link SecureRandom} to generate your own salts and calling {@link #sha512Crypt(byte[],
String)}.
+     * </p>
      *
      * @param keyBytes
      *            plaintext to hash
@@ -525,11 +539,13 @@ public class Sha2Crypt {
      * Generates a libc6 crypt() compatible "$6$" hash value.
      * <p>
      * See {@link Crypt#crypt(String, String)} for details.
-     *
+     * </p>
      * @param keyBytes
      *            plaintext to hash
      * @param salt
-     *            real salt value without prefix or "rounds="
+     *            real salt value without prefix or "rounds=". The salt may be null, in which
case a salt is generated for
+     *            you using {@link ThreadLocalRandom}; for more secure salts consider using
{@link SecureRandom} to
+     *            generate your own salts.
      * @return complete hash value including salt
      * @throws IllegalArgumentException
      *             if the salt does not match the allowed pattern



Mime
View raw message