RFR: 8281561: Disable http DIGEST mechanism with MD5 by default
Weijun Wang
weijun at openjdk.java.net
Mon Mar 7 14:26:08 UTC 2022
On Mon, 7 Mar 2022 11:01:16 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
>> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 670:
>>
>>> 668: if (truncate256) {
>>> 669: assert digest.length >= 32;
>>> 670: start = digest.length - 32;
>>
>> Does this mean the left half is truncated? My understanding is that the right half should be.
>
> Okay, I'll double check that. I haven't found any server implementations of this feature to test with yet,
2nd test of https://datatracker.ietf.org/doc/html/rfc7616#section-3.9 is on this algorithm, but it requires UTF-8 charset support and a way to provide a predefined cnonce. If it's not worth modifying our implementation to create a regression test, I think at least we can temporarily hack our own JDK and try on it. And I think it's most likely true that this algorithm is using a different initialization vector as Bernd pointed out.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list