[
https://issues.apache.org/jira/browse/CODEC-182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13912563#comment-13912563
]
Felix Kaser commented on CODEC-182:
-----------------------------------
I understand your inclination. It is definitely the easier choice. But I don't
like the inconsistencies it introduces.
The javadoc for Crypt.crypt() actually explains it really well.
What about sanity checks? Should it be possible to enter a salt that starts
with $5$ for SHA512? I think one of the best ways would be to avoid using the
Sha2 class at all but go through Crypt.crypt() which selects the implementation
based on the salt prefix.
> Allow real salts in Sha2Crypt
> -----------------------------
>
> Key: CODEC-182
> URL: https://issues.apache.org/jira/browse/CODEC-182
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.9
> Reporter: Felix Kaser
> Priority: Minor
>
> The javadoc for all the methods in Sha2Crypt clearly states to pass a "real
> salt" in as parameter, without prefix and without "rounds=...". But the crypt
> method first of all checks if the salt matches a regex pattern, which
> requires it to contain at least a leading $5$ or $6$, possibly a rounds=...
> and then the real salt.
> Imho either the javadoc should be adapted to tell developers which salt to
> pass in, or the crypt method should match the salt after adding the prefix
> itself.
> I am new to the apache commons community, so please correct me if I'm totally
> wrong here.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)