[OWASP-ESAPI] Several commits to 2.0_quality branch

Kevin W. Wall kevin.w.wall at gmail.com
Fri Aug 14 02:47:34 EDT 2009


OK, just finished maybe 10-12 commits to the 2.0_quality branch
for the Java ESAPI.

The changes fall roughly into 3 categories:
	1) Changes to encoding to use UTF-8 encoding rather than native
	   encoding throughout.
	2) Changes involved in refactoring org.owasp.esapi.ESAPI class
	   to simplify it. Related to this change is the new generic
	   class org.owasp.esapi.util.ObjFactory<T> and related JUnit
	   tests.
	3) Changes in preparation for some new, more general encryption /
	   decryption mechanisms so we can deprecate the use of ECB cipher
	   mode. The main things related to these changes (which are currently
	   just stubbed out) are the new interface CipherText, a new encrypt
	   and decrypt method using CipherText in the Encryptor interface, and
	   a bunch of new properties (and some new comments) in the
	   ESAPI.properties.

I'd like someone to review at least #2 and #3. I've added a few 'CHECKME'
comments throughout.

One should be able to get a general idea of where I'm heading with the
new encryption direction. I will try to write up some examples of how
I anticipate it to be used as well as how it can be made to be backward
compatible with the ESAPI 1.4 release, but you could be able to get
the general flavor by reading through the new comments and properties
in ESAPI.properties, and looking at the 2 new Encryptor signatures
(missing Javadoc, but hopefully self-explanatory):

    CipherText encrypt(byte[] plaintext) throws EncryptionException;
    byte[] decrypt(CipherText ciphertext) throws EncryptionException;

and finally to look at the Javadoc in the new CipherText interface.

But some comments as to whether this list think this is on-track
sure would be useful before I dive into the implementation details.

Thanks,
-kevin
--
Kevin W. Wall
Question: Are people who appear as wax figures in Madame Tussaud's
          Wax Museum enshrined in tallowed halls?       - me


More information about the OWASP-ESAPI mailing list