Return-Path: X-Original-To: apmail-commons-dev-archive@www.apache.org Delivered-To: apmail-commons-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 137FC17355 for ; Wed, 18 Mar 2015 16:09:55 +0000 (UTC) Received: (qmail 78793 invoked by uid 500); 18 Mar 2015 16:09:45 -0000 Delivered-To: apmail-commons-dev-archive@commons.apache.org Received: (qmail 78657 invoked by uid 500); 18 Mar 2015 16:09:45 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 78644 invoked by uid 99); 18 Mar 2015 16:09:45 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Mar 2015 16:09:45 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of garydgregory@gmail.com designates 209.85.212.182 as permitted sender) Received: from [209.85.212.182] (HELO mail-wi0-f182.google.com) (209.85.212.182) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Mar 2015 16:09:20 +0000 Received: by wibdy8 with SMTP id dy8so94373407wib.0 for ; Wed, 18 Mar 2015 09:07:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=HY1YC98SgLWV3oedNJpE4HkqZqNLiCrNghxS+p0dKyI=; b=H3PwwIh2IM4j57XP9SaAQbOrUO2BsYhtWRUkN9GE3qAIRy27HWevhvoXL0yV28+GGH CokU9ARhQfVGFzmvAimHNVnMzWz9zN34rmk9YevMqjk3KBRcYvJg4hHfoizhxoxOwVRU pFZXcv/e6Lffnx40ihWhRDejYKcNnHPS1NyS7LAGbKUX4sAVYIMezvETuO4H+pF9IqH4 J8jPRCFYedX9IPdySSafh7H2zGS7/U8Tsq9KqzeOz9/y02xmpITnDJqPnviXZDrvzZI+ S/v2XTprPqienDEVfCyi4vfk4mxX++fYfB6ZQVkzoximDnMjThiE08RS0+vSTzaW9y9L xxpA== MIME-Version: 1.0 X-Received: by 10.180.206.13 with SMTP id lk13mr8044994wic.35.1426694868696; Wed, 18 Mar 2015 09:07:48 -0700 (PDT) Received: by 10.27.83.198 with HTTP; Wed, 18 Mar 2015 09:07:48 -0700 (PDT) In-Reply-To: References: Date: Wed, 18 Mar 2015 09:07:48 -0700 Message-ID: Subject: Re: [PROPOSAL] Create new sandbox component "Commons Crypto" From: Gary Gregory To: Commons Developers List Content-Type: multipart/alternative; boundary=001a11c37f9cda0821051192487b X-Virus-Checked: Checked by ClamAV on apache.org --001a11c37f9cda0821051192487b Content-Type: text/plain; charset=UTF-8 +1, nice thought. Gary On Wed, Mar 18, 2015 at 5:57 AM, Duncan Jones wrote: > Hi everyone, > > I would like to begin work on a new sandbox component, Commons Crypto, > that makes it easier for developers to use crypto from the standard > Java libraries. The component would have two goals: 1) To make it > harder for users to make typical crypto errors, 2) To make it easier > to perform common crypto tasks. Some select examples are below: > > Typical errors to avoid: > - Weak conversion of passwords to keys. > - Specifying algorithms that rely on system defaults. > - Bad conversions of ciphertext to strings. > - Encryption/decryption of strings without charsets. > > Common tasks that could be easier: > - Specifying typical algorithms without figuring out > "AES/CBC/PKCS5Padding". > - Working with X.509 certificates > - Generating keys (particularly using password derivation). > > The scope of this library would be limited to the most commonly used > algorithms, key sizes, etc. The goal is to satisfy 80-90% of potential > use cases with a really well documented, compact library. Given that > crypto is confusing to many, documentation will be exceptionally > verbose. > > Two existing open-source libraries might spring to mind when > considering this proposal: BouncyCastle [1] is a well-known crypto > library with a Java implementation. However, this has different goals, > namely to implement actual crypto algorithms. Commons Crypto, by > contrast, is focussed on working with existing JDK implementations. > JASYPT [2] is another library aimed at simplifying use of encryption, > yet in my mind it goes too far, focussing only on password-based > encryption, with limited control over how that's carried out. > > If no-one objects, I'll begin work on this component, asking the Infra > team to create a new Git repository. Before committing any code, I'll > follow the instructions at [3] to ensure this project is compliant > with US Export Control Laws. > > Comments, thoughts and objections very welcome. > > Kind regards, > > Duncan > > > [1] https://www.bouncycastle.org/java.html > [2] http://www.jasypt.org/ > [3] http://www.apache.org/dev/crypto.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org > For additional commands, e-mail: dev-help@commons.apache.org > > -- E-Mail: garydgregory@gmail.com | ggregory@apache.org Java Persistence with Hibernate, Second Edition JUnit in Action, Second Edition Spring Batch in Action Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory --001a11c37f9cda0821051192487b--