Skip to content

MYFACES-4726 [5.0.x] Use SHA256DRBG as default psuedo-random generator #912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
volosied wants to merge 4 commits into from
Closed

MYFACES-4726 [5.0.x] Use SHA256DRBG as default psuedo-random generator #912

volosied wants to merge 4 commits into from
+138 −71

Conversation

@volosied
Copy link
Contributor

@volosied volosied commented Jun 24, 2025

@volosied volosied changed the title MYFACES-4726 [5.0.x] MYFACES-4726 [5.0.x] Use SHA256DRBG as default psuedo-random generator Jun 24, 2025
@volosied volosied marked this pull request as draft June 24, 2025 19:16
@volosied
Copy link
Contributor Author

volosied commented Jun 24, 2025

Conflicts...? I'll have to look at them.

@volosied
Use new algorithms as default psuedo-random generator
a17f305 
The new defaults will be "SHA256DRBG","DRBG", "SHA1PRNG".
They are in order of priority. This is backwards compatible
since previous versions only allowed one option.
@volosied
Improvements
6afcba5
volosied
volosied commented Aug 18, 2025
View reviewed changes
impl/src/main/java/org/apache/myfaces/config/webparameters/MyfacesConfig.java
* Sets the random algorithm to initialize the secure random id generator.
* By default is SHA1PRNG
* The default is SHA256DRBG,DRBG,SHA1PRNG (in order of priority).
* The "SHA256DRBG,DRBG, and SHA1PRNG" options were introduced in 4.1.2.
Copy link
Contributor Author

@volosied volosied Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5.0 isn't released, so I'll keep the 4.1.2 tag here.

@volosied volosied marked this pull request as ready for review August 18, 2025 20:12
@volosied
Copy link
Contributor Author

volosied commented Aug 27, 2025

SHA256DRBG is not available on all JDKs. I don' think it should be the default.

SHA1PRNG is still used by Tomcat, so I think there's no rush to move to something stronger just yet.

Closing this for now, but perhaps we can revisit it.

@volosied volosied closed this Aug 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@melloware melloware Awaiting requested review from melloware

@tandraschko tandraschko Awaiting requested review from tandraschko

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@volosied