On Mon, 7 Mar 2022 11:01:16 GMT, Michael McMahon <micha...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java
>> line 670:
>>
>>> 668: if (truncate256) {
>>> 669: assert digest.length >= 32;
>>> 670: start = digest.length - 32;
>>
>> Does this mean the left half is truncated? My understanding is that the
>> right half should be.
>
> Okay, I'll double check that. I haven't found any server implementations of
> this feature to test with yet,
2nd test of https://datatracker.ietf.org/doc/html/rfc7616#section-3.9 is on
this algorithm, but it requires UTF-8 charset support and a way to provide a
predefined cnonce. If it's not worth modifying our implementation to create a
regression test, I think at least we can temporarily hack our own JDK and try
on it. And I think it's most likely true that this algorithm is using a
different initialization vector as Bernd pointed out.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
