> -----Original Message----- > From: Phil Steitz [mailto:phil.ste...@gmail.com] > Sent: Wednesday, March 18, 2015 11:47 > To: Commons Developers List > Subject: Re: [PROPOSAL] Create new sandbox component "Commons Crypto" > > > On 3/18/15 5:57 AM, Duncan Jones wrote: > > Hi everyone, > > > > I would like to begin work on a new sandbox component, > Commons Crypto, > > that makes it easier for developers to use crypto from the standard > > Java libraries. The component would have two goals: 1) To make it > > harder for users to make typical crypto errors, 2) To make it easier > > to perform common crypto tasks. Some select examples are below: > > > > Typical errors to avoid: > > - Weak conversion of passwords to keys. > > - Specifying algorithms that rely on system defaults. > > - Bad conversions of ciphertext to strings. > > - Encryption/decryption of strings without charsets. > > > > Common tasks that could be easier: > > - Specifying typical algorithms without figuring out > "AES/CBC/PKCS5Padding". > > - Working with X.509 certificates > > - Generating keys (particularly using password derivation). > > > > The scope of this library would be limited to the most commonly used > > algorithms, key sizes, etc. The goal is to satisfy 80-90% > of potential > > use cases with a really well documented, compact library. Given that > > crypto is confusing to many, documentation will be exceptionally > > verbose. > > > > Two existing open-source libraries might spring to mind when > > considering this proposal: BouncyCastle [1] is a well-known crypto > > library with a Java implementation. However, this has > different goals, > > namely to implement actual crypto algorithms. Commons Crypto, by > > contrast, is focussed on working with existing JDK implementations. > > JASYPT [2] is another library aimed at simplifying use of > encryption, > > yet in my mind it goes too far, focussing only on password-based > > encryption, with limited control over how that's carried out. > > > > If no-one objects, I'll begin work on this component, > asking the Infra > > team to create a new Git repository. Before committing any > code, I'll > > follow the instructions at [3] to ensure this project is compliant > > with US Export Control Laws. > > > > Comments, thoughts and objections very welcome. > > > > Kind regards, > > > > Duncan > > > > > > [1] https://www.bouncycastle.org/java.html > > [2] http://www.jasypt.org/ > > [3] http://www.apache.org/dev/crypto.html > > +1 to the idea. Fits nicely into Commons, IMO. Also have a look > and maybe see if collaboration might be possible with Apache Shiro, > which has a nice embedded, separately packaged crypto lib with sort > of the same flavor as what you are describing (though probably more > low-level). And have a look at the already existing, but more > limited scope (and really just BC wrapper) OpenPGP already in the > sandbox.
We frequently do the same here, and I would be willing to contribute (CLA on file) some of our code or write new for the effort. Most of our work is with x509 processing. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
