RFR: 8281561: Disable http DIGEST mechanism with MD5 by default
Michael McMahon
michaelm at openjdk.java.net
Mon Mar 7 12:00:59 UTC 2022
On Fri, 4 Mar 2022 16:26:52 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Hi,
>>
>> Could I get the following change reviewed please, which is to disable the MD5 message digest algorithm by default in the HTTP Digest authentication mechanism? The algorithm can be opted into by setting a new system property "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also updates the Digest authentication implementation to use some of the more secure features defined in RFC7616, such as username hashing and additional digest algorithms like SHA256 and SHA512-256.
>>
>> - Michael
>
> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 658:
>
>> 656: // truncate256 means only use the last 256 bits of the digest (32 bytes)
>> 657: private String encode(String src, char[] passwd, MessageDigest md, boolean truncate256) {
>> 658: md.update(src.getBytes(ISO_8859_1.INSTANCE));
>
> Maybe we can support the "charset" parameter as well. The only allowed value is "UTF-8".
I'll look into supporting that.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list