On Fri, 4 Mar 2022 09:37:21 GMT, Michael McMahon <[email protected]> wrote:
> Hi,
>
> Could I get the following change reviewed please, which is to disable the MD5
> message digest algorithm by default in the HTTP Digest authentication
> mechanism? The algorithm can be opted into by setting a new system property
> "http.auth.digest.reEnabledAlgs" to include the value MD5. The change also
> updates the Digest authentication implementation to use some of the more
> secure features defined in RFC7616, such as username hashing and additional
> digest algorithms like SHA256 and SHA512-256.
>
> - Michael
src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java
line 584:
> 582: boolean truncate256 = false;
> 583:
> 584: if (algorithm.equals("SHA-512-256")) {
It appears that the incoming param `algorithm` can be of any case. In some
other places like the `validateAlgorithm`, this `algorithm` value has been
first converted to an uppercase value and then used for additional checks.
Should a similar upper case conversion be done here before this equality check?
Perhaps, we should convert this to upper case once and then pass it around to
these `validateAlgorithm` and `computeUserhash` methods?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
