1.9.3 ===== - Fixed #44: Using Standard PBE Encryptors for BigDecimal or BigInteger causes unnecessary exception on VMs with large amounts of freespace - Fixed #32: encryption works but decryption does not, Java 8 (JCE jars installed). Added support for initialization vectors needed for AES encryption and decryption since Java 8. 1.9.2 ===== - Replaced Arrays.equals() call in StandardByteDigester with a time-constant function in order to enhance protection against timing attacks in unintended scenarios where parts of jasypt are used for matching message-authentication hashes. Note: password matching and general hash matching scenarios using jasypt were NOT affected by vulnerabilities to timing attacks. - Modified how the EncryptableProperties objects deal with serialization, so that now they only make use of the singleton encryptor registry when they are actually serialized (if they are). This allows the removal of the "finalize()" method in this objects, which was causing trouble in some specific Java VM setups. - Created new interface org.jasypt.salt.FixedSaltGenerator and two new implementations for it, org.jasypt.salt.StringFixedSaltGenerator and org.jasypt.salt.ByteArrayFixedSaltGenerator, deprecating old equivalents "FixedStringSaltGenerator" and "FixedByteArraySaltGenerator". This new interface allows applying important performance optimizations to encryption operations when using fixed salt. - Modified UTF-8 normalization infrastructure in order to make code compile in Java 1.4. - Updated testing-scope dependencies. 1.9.1 ===== - Fixed insufficient entropy in RandomSaltGenerator due to seeding mechanism. - Fixed CLI scripts for Windows and CYGWIN environments. 1.9.0 ===== - Divided old "jasypt" artifact into several modules: * jasypt (core) * jasypt-hibernate3 * jasypt-hibernate4 * jasypt-spring2 * jasypt-spring3 * jasypt-acegisecurity * jasypt-springsecurity2 * jasypt-springsecurity3 * jasypt-wicket13 * jasypt-wicket15 - Fixed error in CLI .bat files resulting in bad processing of CLI commands which involved passwords containing exclamation mark symbols. - Fixed bug in PooledPBEStringEncryptor which caused first encryptor in pool not use hexadecimal output type. - Added implementation of Hashtable's "get(Object)" method to org.jasypt.properties.EncryptableProperties, so that this method now performs decryption instead of it only being performed at "getProperty(key)". 1.8 === - Small bugfixing for large BigInteger number decryption. - Modified in-memory storage of PBE passwords to avoid having Strings in memory that contain the password being used. Now PBE passwords are stored as char[] objects that are zeroed as soon as they are used. New "setPasswordCharArray(char[] password)" methods allow users to specify passwords as char[] also, so that there is no need to create String passwords. - Modified the order in which Normalizer implementations are used: now icu4j is used if it is in the classpath (even if Java >= 6 is being used). If icu4j is not present, java.text.Normalizer is used (if Java >= 6). - Fixed CLI scripts: *.jar in "find" command was matching jar files in the current folder instead of those in the lib folder. Fixed by surrounding "*.jar" by simple inverted commas. - Added to EncryptablePropertyPlaceholderConfigurer the ability to decrypt system properties. 1.7.1 ===== - Fixed EncryptableServletContextPropertyPlaceholderConfigurer 1.7 === - Fixed Hibernate 3.6 compatibility. - Removed dependencies on commons-lang and commons-codec. Jasypt can now operate without depedencies on JDK version >= 6. - Added pool-based implementations of Standard digesters and PBE encryptors to improve performance in multiprocessor systems. - Created "lite" .jar package including only standard String and Byte digest and encryption: no BigDecimal or BigInteger encryption, no "util" package, no Spring/Hibernate/Wicket integrations, no Web PBE configuration, no CLI utils, no properties encryption, no Zero salt generator. - Added class org.jasypt.registry.AlgorithmRegistry with utility methods for obtaining the names of all the available digest/PBE algorithms. - Added "prefix" and "suffix" configuration parameters to String digesters, in order to add a prefix and/or suffix to all digest results (and also expect these prefixes or suffixes when matching existing digests). - Added method "getInvertPositionOfSaltInMessageBeforeDigesting()" to DigesterConfig and "setInvertPositionOfSaltInMessageBeforeDigesting(...)" to StandardByteDigester and StandardStringDigester in order to being able to append the salt after the message before digesting instead of the default behaviour (insert it before the message). This is useful for enhancing compatibility with some common LDAP password encryption schemes like {SSHA}. - Added method "getInvertPositionOfPlainSaltInEncryptionResults()" to DigesterConfig and "setInvertPositionOfPlainSaltInEncryptionResults(...)" to StandardByteDigester and StandardStringDigester in order to being able to append the plain (unhashed) salt after the digest instead of the default behaviour (insert it before the digest). This is useful for enhancing compatibility with some common LDAP password encryption schemes like {SSHA}. - Added method "getUseLenientSaltSizeCheck()" to DigesterConfig and "setUseLenientSaltSizeCheck(...)" to StandardByteDigester and StandardStringDigester in order to allow digesters to check digests created with any size of salt (not equal to the value set for the "saltSizeBytes" property). - Added an "org.jasypt.util.password.rfc2307" package containing utility classes for password encryption operations according to common LDAP schemes like {MD5}, {SHA}, {SMD5} and {SSHA}. - Rebuilt CLI scripts: now both Windows and Linux versions can be run from outside the "bin" folder. New configuration parameters added. - Added "listAlgorithms" CLI command that lists all digest and PBE algorithms present in the Java Virtual Machine. - Rebuilt zip distribution package: remove unneeded "cli-bundle" and added icu4j to libs. - Added org.jasypt.spring.properties.EncryptableServletContextPropertyPlaceholderConfigurer as a sublass of org.springframework.web.context.support.ServletContextPropertyPlaceholderConfigurer, for transparent decryption of servlet context parameters (like the ones in web.xml). - Added org.jasypt.spring.properties.EncryptablePreferencesPlaceholderConfigurer as a subclass of org.springframework.beans.factory.config.PreferencesPlaceholderConfigurer, for transparent decryption of preferences set with JDK 1.4's Preferences API. - Added Spring Security 3 -compatible TokenBasedRememberMeServices implementation using a Jasypt StandardStringDigester for digesting the data signature. 1.6 === - Modified Class.forName calls to use current thread's context classloader. - Fixed JavaDoc for Spring Security -related classes. - Added missing registerPBE*Encryptor methods in HibernatePBEEncryptorRegistry - Added compatibility with Spring Framework 3.0.x and Spring Security 3.0.x - Tested compatibility with Apache Wicket 1.4.x and Hibernate 3.2.x 1.5 === - Dependency on ICU4j made optional in Java 6 environments. - Created new versions of old ACEGI's PasswordEncoder and PBEPasswordEncoder for Spring Security 2.x in package org.jasypt.spring.security2. - Random number generation algorithm can now be specified in RandomSaltGenerator. - Fixed bug in .sh files in the bin folder. $@ did not work with inputs that contained spaces and had to be substituted by "$@". 1.4.1 ======= - Fixed bug in EncryptedPasswordC3P0ConnectionProvider which made decryption of datasource configuration not to work properly. 1.4 ======= - Added methods to Simple* and Environment* config classes for both Digesters and PBEEncryptors to allow them to be configured entirely with Strings. - Added to org.jasypt.encryption.pbe.StandardPBEByteEncryptor a workaround for Sun JCE's bug 4953555 (http://bugs.sun.com/view_bug.do?bug_id=4953555) - Added org.jasypt.properties.EncryptableProperties as a java.util.Properties which allows transparent decryption of encrypted property values. - Moved org.jasypt.hibernate.ParameterNaming to org.jasypt.hibernate.type.ParameterNaming. - Added org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider and org.jasypt.hibernate.connectionprovider.EncryptedPasswordC3P0ConnectionProvider for allowing encrypted datasource parameters in hibernate.cfg.xml files. - Added org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer and org.jasypt.spring.properties.EncryptablePropertyOverrideConfigurer to allow use of encrypted .properties files from within Spring applications in a transparent manner. - Package org.jasypt.springsecurity renamed as org.jasypt.spring.security, and deprecated classes in the old package (will be removed in 1.5). - Added org.jasypt.salt.ZeroSaltGenerator for creating salts filled with "zero" bytes. - Added org.jasypt.intf.service.JasyptStatelessService for supporting CLI operation and development of stateless services (like web services) for Jasypt. - Added org.jasypt.intf.cli.JasyptStringDigestCLI, org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI and org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI to allow the execution of digest, encryption and decryption commands from the command line, useful for knowing which value to write in an encrypted .properties file. - Created new zip distribution containing convenience .sh and .bat files for executing CLI tools. 1.3.1 ======= - Solved configuration bug in "StandardPBEByteEncryptor.initialize()" for algorithms coming from *Config objects. 1.3 ======= - DigesterConfig and PBEConfig are not Serializable anymore. - Added provider and providerName properties to DigesterConfig and SimpleDigesterConfig classes. - Added providerClassName, providerName and saltGeneratorClassName configuration at EnvironmentDigesterConfig. - StandardByteDigester, StandardStringDigester, Digester, and ConfigurablePasswordEncryptor can now specify the JCE security provider (java.security.Provider implementation) which will be asked for the digest algorithm. - Added provider and providerName properties to PBEConfig and SimplePBEConfig classes. - Added providerClassName, providerName and saltGeneratorClassName configuration at EnvironmentPBEConfig. - StandardPBEByteEncryptor, StandardPBEStringEncryptor, StandardPBEBigIntegerEncryptor and StandardPBEBigDecimalEncryptor can now specify the JCE security provider (java.security.Provider implementation) which will be asked for the digest algorithm. - Created new StringDigesterConfig configuration interface for digesters, which extends DigesterConfig and adds parameters "unicodeNormalizationIgnored" and "stringOutputType". Also created new implementations SimpleStringDigesterConfig and EnvironmentStringDigesterConfig. - Added Unicode Normalization step to StandardStringDigester, and also capabilities to return hexadecimal-encoded digest Strings instead of only BASE64 ones. - Created new StringPBEConfig configuration interface for encryptors, which extends PBEConfig and adds parameter "stringOutputType". Also created new implementations SimpleStringPBEConfig and EnvironmentStringPBEConfig. - Added capabilities to return hexadecimal-endoded Strings to StandardPBEStringEncryptor. - Added capabilities to return hexadecimal-endoded Strings to ConfigurablePasswordEncryptor. - Added to HibernatePBEStringEncryptor the possibility to set the providerName, provider and stringOutputType parameters. - Added providerName and stringOutputType parameters to all the String-related Hibernate types. - Added package org.jasypt.web.pbeconfig for configuration of PBE encryption keys from webapps. Includes servlet, filter and contextlistener. - Added WebPBEConfig and WebStringPBEConfig for configuration through the new web PBE config infrastructure. 1.2 ======= - Merged jasypt-hibernate and jasypt-spring-security into main jasypt trunk. - Package org.jasypt.util refactored. - Created PasswordEncryptor and TextEncryptor interfaces, to unify both basic- and strong-encryption implementations. NOTE: the old org.jasypt.util classes have been DEPRECATED, and will be removed in jasypt 1.3. - Added org.jasypt.util.password.ConfigurablePasswordEncryptor for a more configurable way of using the "easy" password encryptor. - Added binary utils (org.jasypt.util.binary) for easy encryption of binaries. - Added numeric encryption functionalities: new StandardPBEBigIntegerEncryptor and StandardPBEBigDecimalEncryptor in the org.jasypt.encryption.pbe package - Added new org.jasypt.util.numeric package with easy utils for numeric encryption. - Refactored org.jasypt.hibernate classes into new "encryptor" and "type" subpackages. - Added HibernatePBEEncryptorRegistry support for BigInteger, BigDecimal and Byte encryptors - Added Hibernate type for encryption of binaries (byte[]) into SQL BLOBs - Added Hibernate type for encryption of BigIntegers into SQL NUMERICs. - Added Hibernate type for encryption of BigDecimals into SQL NUMERICs. - Added Hibernate type for encryption of Bytes into SQL VARCHARs. - Added Hibernate type for encryption of Shorts into SQL VARCHARs. - Added Hibernate type for encryption of Integers into SQL VARCHARs. - Added Hibernate type for encryption of Longs into SQL VARCHARs. - Added Hibernate type for encryption of Floats into SQL VARCHARs. - Added Hibernate type for encryption of Doubles into SQL VARCHARs. - Added Hibernate type for encryption of Booleans into SQL VARCHARs. - Added Hibernate type for encryption of Dates into SQL VARCHARs. - Added Hibernate type for encryption of Calendars into SQL VARCHARs. - Added creation of standard encryptor in Hibernate encryptor objects so that setEncryptor() method becomes optional and hibernate encryptors can be directly configured via setPassword, setAlgorithm, etc. - Refactored org.jasypt.springsecurity package: created new PasswordEncoder for use with both org.jasypt.util.password.PasswordEncryptor or org.jasypt.digest.StringDigester implementations. - Created new org.jasypt.springsecurity.PBEPasswordEncoder for using org.jasypt.util.text.TextEncryptor or org.jasypt.pbe.encryptor.PBEStringEncryptor from ACEGI Security. - Created new salt generation infrastructure, making different implementations of salt generation possible (including fixed salt). 1.1 ======= - Added the ACEGI (Spring Security) integration add-on (org.jasypt.springsecurity) - Added org.jasypt.util.StrongPasswordEncryptor as a util class for easy password encryption using a stronger algorithm. - Added org.jasypt.util.MessageDigester as a util class for creating simple binary message digests. - Added org.jasypt.digest.config.EnvironmentDigesterConfig and org.jasypt.encryption.pbe.config.EnvironmentPBEConfig for configuration of encryptors and digesters using environment variables and system properties. - Objects of class org.jasypt.util.PasswordEncryptor now initialize their internal StandardStringDigester at instance creation. - Made org.jasypt.digest.config.DigesterConfig and org.jasypt.encryption.pbe.config.PBEConfig extend java.io.Serializable 1.0 ======= - First release of jasypt