commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Felix Kaser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CODEC-182) Allow real salts in Sha2Crypt
Date Wed, 26 Feb 2014 06:17:20 GMT

    [ https://issues.apache.org/jira/browse/CODEC-182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13912563#comment-13912563
] 

Felix Kaser commented on CODEC-182:
-----------------------------------

I understand your inclination. It is definitely the easier choice. But I don't like the inconsistencies
it introduces.

The javadoc for Crypt.crypt() actually explains it really well.

What about sanity checks? Should it be possible to enter a salt that starts with $5$ for SHA512?
I think one of the best ways would be to avoid using the Sha2 class at all but go through
Crypt.crypt() which selects the implementation based on the salt prefix.

> Allow real salts in Sha2Crypt
> -----------------------------
>
>                 Key: CODEC-182
>                 URL: https://issues.apache.org/jira/browse/CODEC-182
>             Project: Commons Codec
>          Issue Type: Bug
>    Affects Versions: 1.9
>            Reporter: Felix Kaser
>            Priority: Minor
>
> The javadoc for all the methods in Sha2Crypt clearly states to pass a "real salt" in
as parameter, without prefix and without "rounds=...". But the crypt method first of all checks
if the salt matches a regex pattern, which requires it to contain at least a leading $5$ or
$6$, possibly a rounds=... and then the real salt.
> Imho either the javadoc should be adapted to tell developers which salt to pass in, or
the crypt method should match the salt after adding the prefix itself.
> I am new to the apache commons community, so please correct me if I'm totally wrong here.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message