On Fri, 4 Mar 2022 16:26:52 GMT, Weijun Wang <[email protected]> wrote:
>> Hi,
>>
>> Could I get the following change reviewed please, which is to disable the
>> MD5 message digest algorithm by default in the HTTP Digest authentication
>> mechanism? The algorithm can be opted into by setting a new system property
>> "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also
>> updates the Digest authentication implementation to use some of the more
>> secure features defined in RFC7616, such as username hashing and additional
>> digest algorithms like SHA256 and SHA512-256.
>>
>> - Michael
>
> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java
> line 658:
>
>> 656: // truncate256 means only use the last 256 bits of the digest (32
>> bytes)
>> 657: private String encode(String src, char[] passwd, MessageDigest md,
>> boolean truncate256) {
>> 658: md.update(src.getBytes(ISO_8859_1.INSTANCE));
>
> Maybe we can support the "charset" parameter as well. The only allowed value
> is "UTF-8".
I'll look into supporting that.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
