Rob Winch
a6bded86c2
SEC-1990: Polishing code cleanup on BCrypt
...
- Formatting
- Renamed test to be BCryptTests to better align with Spring Security's naming conventions
2012-07-05 14:12:14 -05:00
Joseph Walton
14a5135ac3
SEC-1990: Clean up jBCrypt and include its tests.
...
Merge in changes from jBCrypt.
- Use a ByteArrayOutputStream to cache bytes.
- Pass a StringBuilder into encode_base64.
- Refactor string comparison into its own method.
- General clean up.
2012-07-05 14:04:39 -05:00
Luke Taylor
3760d792ea
SEC-1890: Add checks for validity of stored bcrypt hash
...
When checking for a match, the BCryptPasswordEncoder validates
the stored hash against a pattern to check that it actually is
a bcrypt value.
2012-02-22 14:36:13 +00:00
Dave Syer
8565116f20
SEC-1472: Add crypto wrappers for BCrypt
2011-11-02 18:10:19 +00:00
Luke Taylor
45d938566c
Some tests for Base64 encoding.
2011-08-12 19:44:27 +01:00
Luke Taylor
89b7b2b935
SEC-1764: Remove use of Java 6 method Arrays.copyOfRange.
2011-06-15 11:22:17 +01:00
Luke Taylor
e27f655e9d
SEC-1689: Re-instate crypto as separate library (for use in non-Spring Security apps), as well as packaging with core.
2011-06-10 00:01:25 +01:00
Luke Taylor
50828cdd43
SEC-1689: Move crypto module code to core for simplicity.
2011-03-10 18:58:47 +00:00
Rob Winch
8c08eeb57b
SEC-1666: Use constant time comparison for sensitive data.
...
Constant time comparison helps to mitigate timing attacks. See the following link for more information
* http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
* http://en.wikipedia.org/wiki/Timing_attack for more information.
2011-01-31 23:03:51 -06:00
Rob Winch
2e822e9abe
SEC-1659: Ensure that Digester is returning digest(digest(value)...) instead of digesting the same value multiple times.
...
Make it so that the Digester returns digest(digest(value)...) instead of digesting the same value multiple times. This
alligns with the OWASP recommendations at http://www.owasp.org/index.php/Hashing_Java#Hardening_against_the_attacker.27s_attack
2011-01-30 22:30:01 -06:00
Luke Taylor
6b1b012e2c
Added check for maximum AES key size in crypto.gradle to skip tests if limited strength crypto policy files are in place.
2011-01-20 02:13:33 +00:00
Luke Taylor
594f6694bb
Add logging of jdk version to crypto build file
2011-01-20 01:31:30 +00:00
Luke Taylor
d686f64f26
Skip EncryptorsTests when using <JDK 1.6 as AES isn't available
2011-01-19 23:43:13 +00:00
Luke Taylor
162cb64baa
SEC-1659: Label crypto utils package as only for internal use.
2011-01-19 18:19:58 +00:00
Keith Donald
b646e44646
SEC-1659: fixed bundlor step of build
2011-01-19 18:17:03 +00:00
Keith Donald
ea76efdb2c
SEC-1659: favor AES encryption instead of DES as standard symmetric encryption algorithm
2011-01-19 18:17:02 +00:00
Keith Donald
ffa7301e7f
SEC-1569: initial commit of spring-security-crypto module, consisting of encrypt, keygen, password, and util packages
2011-01-19 18:17:02 +00:00