On Fri, 11 Mar 2022 17:37:44 GMT, Michael McMahon <micha...@openjdk.org> wrote:
>> Hi, >> >> Could I get the following change reviewed please, which is to disable the >> MD5 message digest algorithm by default in the HTTP Digest authentication >> mechanism? The algorithm can be opted into by setting a new system property >> "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also >> updates the Digest authentication implementation to use some of the more >> secure features defined in RFC7616, such as username hashing and additional >> digest algorithms like SHA256 and SHA512-256. >> >> - Michael > > Michael McMahon has updated the pull request incrementally with one > additional commit since the last revision: > > update after second review round Please remove `src/java.base/share/classes/java/util/.Random.java.swp`. src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 430: > 428: algorithm = "MD5"; // The default, accoriding to rfc2069 > 429: } > 430: var oid = > KnownOIDs.findMatch(algorithm.toUpperCase(Locale.ROOT)); No need to call `toUpperCase`. `findMatch` already called that. On the other hand, we don't support the name `SHA-512-256`, and if you translate it to stdName here there is no need to do it again in `computeUserhash`. ------------- PR: https://git.openjdk.java.net/jdk/pull/7688
