RFR: 8281561: Disable http DIGEST mechanism with MD5 by default [v3]
Weijun Wang
weijun at openjdk.java.net
Fri Mar 11 18:14:48 UTC 2022
On Fri, 11 Mar 2022 17:37:44 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
>> Hi,
>>
>> Could I get the following change reviewed please, which is to disable the MD5 message digest algorithm by default in the HTTP Digest authentication mechanism? The algorithm can be opted into by setting a new system property "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also updates the Digest authentication implementation to use some of the more secure features defined in RFC7616, such as username hashing and additional digest algorithms like SHA256 and SHA512-256.
>>
>> - Michael
>
> Michael McMahon has updated the pull request incrementally with one additional commit since the last revision:
>
> update after second review round
Please remove `src/java.base/share/classes/java/util/.Random.java.swp`.
src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 430:
> 428: algorithm = "MD5"; // The default, accoriding to rfc2069
> 429: }
> 430: var oid = KnownOIDs.findMatch(algorithm.toUpperCase(Locale.ROOT));
No need to call `toUpperCase`. `findMatch` already called that. On the other hand, we don't support the name `SHA-512-256`, and if you translate it to stdName here there is no need to do it again in `computeUserhash`.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list