Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 13:23:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence)

Browse Source 
This method is insecure. Users should instead encrypt with their database.

Closes gh-8980
This commit is contained in:
Rob Winch
2022-09-07 13:51:58 -05:00
parent 088ebe2e00
commit d996c2a2c6
4 changed files with 5 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crypto/src/main/java/org/springframework/security/crypto/encrypt/Encryptors.java
-17
View File
@@ -91,23 +91,6 @@ public final class Encryptors {
return new HexEncodingTextEncryptor(standard(password, salt));
}
/**
* Creates an encryptor for queryable text strings that uses standard password-based
* encryption. Uses a 16-byte all-zero initialization vector so encrypting the same
* data results in the same encryption result. This is done to allow encrypted data to
* be queried against. Encrypted text is hex-encoded.
* @param password the password used to generate the encryptor's secret key; should
* not be shared
* @param salt a hex-encoded, random, site-global salt value to use to generate the
* secret key
* @deprecated This encryptor is not secure. Instead, look to your data store for a
* mechanism to query encrypted data.
*/
@Deprecated
public static TextEncryptor queryableText(CharSequence password, CharSequence salt) {
return new HexEncodingTextEncryptor(new AesBytesEncryptor(password.toString(), salt));
}
/**
* Creates a text encryptor that performs no encryption. Useful for developer testing
* environments where working with plain text strings is desired for simplicity.
crypto/src/test/java/org/springframework/security/crypto/encrypt/EncryptorsTests.java
-11
View File
@@ -66,17 +66,6 @@ public class EncryptorsTests {
assertThat(result.equals(encryptor.encrypt("text"))).isFalse();
}
@Test
public void queryableText() {
CryptoAssumptions.assumeCBCJCE();
TextEncryptor encryptor = Encryptors.queryableText("password", "5c0744940b5c369b");
String result = encryptor.encrypt("text");
assertThat(result).isNotNull();
assertThat(result.equals("text")).isFalse();
assertThat(encryptor.decrypt(result)).isEqualTo("text");
assertThat(result.equals(encryptor.encrypt("text"))).isTrue();
}
@Test
public void noOpText() {
TextEncryptor encryptor = Encryptors.noOpText();