arturobernalg commented on code in PR #597:
URL:
https://github.com/apache/httpcomponents-client/pull/597#discussion_r1826919713
##########
httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java:
##########
@@ -590,4 +618,27 @@ private boolean containsInvalidABNFChars(final String
value) {
}
return false;
}
+
+ /**
+ * Resolves the specified algorithm name to a standard form based on
recognized algorithm suffixes.
+ * <p>
+ * This method translates session-based algorithms (e.g., "-sess" suffix)
to their base forms
+ * for correct MessageDigest usage. If no algorithm is specified or
"MD5-sess" is provided,
+ * it defaults to "MD5". The method also maps "SHA-512-256" to
"SHA-512/256" to align with
+ * Java's naming for SHA-512/256.
+ * </p>
+ *
+ * @param algorithm the algorithm name to resolve, such as "MD5-sess",
"SHA-256-sess", or "SHA-512-256-sess"
+ * @return the resolved base algorithm name, or the original algorithm
name if no mapping applies
+ */
+ private String resolveAlgorithm(final String algorithm) {
+ if (algorithm == null || algorithm.equalsIgnoreCase("MD5-sess")) {
Review Comment:
@olegk I’d say yes in principle, but enforcing a fixed set of algorithms
would restrict client flexibility. Currently, we support any algorithm, as
demonstrated in the `testDigestAuthenticationWithSHA` test, which validates a
SHA algorithm. According to RFC 7616, only SHA-256, SHA-512/256, and MD5 are
actually supported (with MD5 being discouraged).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
