Hi Thilo,
On 02/25/2017 06:31 PM, Thilo-Alexander Ginkel wrote:
> 1. There is an existing BCrypt implementation for Java, jBCrypt [1, 2]
> licensed under the ISC license, which is compatible with the Apache
> License 2.0 according to [3]. Do you consider it acceptable to
> introduce a new dependency to support a new encryption algorithm?
> AFAICS the dependency would need to be added to
> org.apache.directory.api:api-ldap-model.
In general that sounds ok. The library is minimal, contains only the one
BCrypt class, no further dependencies. (side-note: the same class is
meanwhile modified used in Spring Security [5]). Only question is if
additional paper work is required [4]?
On the other hand, ApacheDS (but not the API) already uses Bouncycastle
dependency which also contains a BCrypt implementation.
3rd option: commons-codec has support for other Unix crypt variants, but
BCrypt is missing. Maybe it makes sense to add BCrypt there?
> 2. Would you prefer an implementation as crypt variant (sub-prefix
> $2a$) or a separate algorithm?
Using {crypt}$2a$... would be my preferred choice. We already support
the MD5 based {crypt} variant and also $5$ and $6$ variants.
Kind Regards,
Stefan
[4] https://www.apache.org/dev/crypto.html
[5]
https://github.com/spring-projects/spring-security/blob/master/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
[6] https://issues.apache.org/jira/browse/CODEC-133
