SEC-1659: Ensure that Digester is returning digest(digest(value)...) instead of digesting the same value multiple times.

Make it so that the Digester returns digest(digest(value)...) instead of digesting the same value multiple times. This
alligns with the OWASP recommendations at http://www.owasp.org/index.php/Hashing_Java#Hardening_against_the_attacker.27s_attack

crypto/src/main/java/org/springframework/security/crypto/util/Digester.java

@@ -48,7 +48,7 @@ public class Digester {
     public byte[] digest(byte[] value) {
         synchronized (messageDigest) {
             for (int i = 0; i < (iterations - 1); i++) {
-                invokeDigest(value);
+                value = invokeDigest(value);
             }
             return messageDigest.digest(value);
         }

crypto/src/test/java/org/springframework/security/crypto/util/DigesterTests.java

@@ -3,6 +3,9 @@ package org.springframework.security.crypto.util;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 
+import java.security.MessageDigest;
+import java.util.Arrays;
+
 import org.junit.Test;
 
 public class DigesterTests {
@@ -16,4 +19,15 @@ public class DigesterTests {
         assertFalse(new String(result).equals("text"));
     }
 
+    @Test
+    public void multiPassDigest() throws Exception {
+        MessageDigest d = MessageDigest.getInstance("SHA-1","SUN");
+        d.reset();
+        byte[] value = "text".getBytes("UTF-8");
+        byte[] singlePass = d.digest(value);
+        byte[] multiPass = digester.digest(value);
+        assertFalse(Arrays.toString(singlePass) + " should not be equal to "
+                + Arrays.toString(multiPass),
+                Arrays.equals(singlePass, multiPass));
+    }
 }