1.9.3
=====
- Fixed #44: Using Standard PBE Encryptors for BigDecimal or BigInteger causes unnecessary exception
on VMs with large amounts of freespace
- Fixed #32: encryption works but decryption does not, Java 8 (JCE jars installed).
Added support for initialization vectors needed for AES encryption and decryption since Java 8.
1.9.2
=====
- Replaced Arrays.equals() call in StandardByteDigester with a time-constant function in order
to enhance protection against timing attacks in unintended scenarios where parts of jasypt are
used for matching message-authentication hashes. Note: password matching and general
hash matching scenarios using jasypt were NOT affected by vulnerabilities to timing attacks.
- Modified how the EncryptableProperties objects deal with serialization, so that now they only
make use of the singleton encryptor registry when they are actually serialized (if they are).
This allows the removal of the "finalize()" method in this objects, which was causing trouble in
some specific Java VM setups.
- Created new interface org.jasypt.salt.FixedSaltGenerator and two new implementations for it,
org.jasypt.salt.StringFixedSaltGenerator and org.jasypt.salt.ByteArrayFixedSaltGenerator,
deprecating old equivalents "FixedStringSaltGenerator" and "FixedByteArraySaltGenerator". This
new interface allows applying important performance optimizations to encryption operations when
using fixed salt.
- Modified UTF-8 normalization infrastructure in order to make code compile in Java 1.4.
- Updated testing-scope dependencies.
1.9.1
=====
- Fixed insufficient entropy in RandomSaltGenerator due to seeding mechanism.
- Fixed CLI scripts for Windows and CYGWIN environments.
1.9.0
=====
- Divided old "jasypt" artifact into several modules:
* jasypt (core)
* jasypt-hibernate3
* jasypt-hibernate4
* jasypt-spring2
* jasypt-spring3
* jasypt-acegisecurity
* jasypt-springsecurity2
* jasypt-springsecurity3
* jasypt-wicket13
* jasypt-wicket15
- Fixed error in CLI .bat files resulting in bad processing of CLI commands
which involved passwords containing exclamation mark symbols.
- Fixed bug in PooledPBEStringEncryptor which caused first encryptor in pool not
use hexadecimal output type.
- Added implementation of Hashtable's "get(Object)" method to
org.jasypt.properties.EncryptableProperties, so that this method now performs
decryption instead of it only being performed at "getProperty(key)".
1.8
===
- Small bugfixing for large BigInteger number decryption.
- Modified in-memory storage of PBE passwords to avoid having Strings in memory that contain
the password being used. Now PBE passwords are stored as char[] objects that are zeroed as
soon as they are used. New "setPasswordCharArray(char[] password)" methods allow users to
specify passwords as char[] also, so that there is no need to create String passwords.
- Modified the order in which Normalizer implementations are used: now icu4j is used if it is
in the classpath (even if Java >= 6 is being used). If icu4j is not present, java.text.Normalizer
is used (if Java >= 6).
- Fixed CLI scripts: *.jar in "find" command was matching jar files in the current folder
instead of those in the lib folder. Fixed by surrounding "*.jar" by simple inverted commas.
- Added to EncryptablePropertyPlaceholderConfigurer the ability to decrypt system properties.
1.7.1
=====
- Fixed EncryptableServletContextPropertyPlaceholderConfigurer
1.7
===
- Fixed Hibernate 3.6 compatibility.
- Removed dependencies on commons-lang and commons-codec. Jasypt can now operate
without depedencies on JDK version >= 6.
- Added pool-based implementations of Standard digesters and PBE encryptors to improve
performance in multiprocessor systems.
- Created "lite" .jar package including only standard String and Byte digest and
encryption: no BigDecimal or BigInteger encryption, no "util" package,
no Spring/Hibernate/Wicket integrations, no Web PBE configuration, no CLI utils,
no properties encryption, no Zero salt generator.
- Added class org.jasypt.registry.AlgorithmRegistry with utility methods for
obtaining the names of all the available digest/PBE algorithms.
- Added "prefix" and "suffix" configuration parameters to String digesters, in order
to add a prefix and/or suffix to all digest results (and also expect these prefixes or
suffixes when matching existing digests).
- Added method "getInvertPositionOfSaltInMessageBeforeDigesting()" to DigesterConfig
and "setInvertPositionOfSaltInMessageBeforeDigesting(...)" to StandardByteDigester
and StandardStringDigester in order to being able to append the salt after the message
before digesting instead of the default behaviour (insert it before the message).
This is useful for enhancing compatibility with some common LDAP password encryption
schemes like {SSHA}.
- Added method "getInvertPositionOfPlainSaltInEncryptionResults()" to DigesterConfig
and "setInvertPositionOfPlainSaltInEncryptionResults(...)" to StandardByteDigester
and StandardStringDigester in order to being able to append the plain (unhashed)
salt after the digest instead of the default behaviour (insert it before the digest).
This is useful for enhancing compatibility with some common LDAP password encryption
schemes like {SSHA}.
- Added method "getUseLenientSaltSizeCheck()" to DigesterConfig and
"setUseLenientSaltSizeCheck(...)" to StandardByteDigester
and StandardStringDigester in order to allow digesters to check digests created
with any size of salt (not equal to the value set for the "saltSizeBytes" property).
- Added an "org.jasypt.util.password.rfc2307" package containing utility classes for
password encryption operations according to common LDAP schemes like {MD5},
{SHA}, {SMD5} and {SSHA}.
- Rebuilt CLI scripts: now both Windows and Linux versions can be run from outside
the "bin" folder. New configuration parameters added.
- Added "listAlgorithms" CLI command that lists all digest and PBE algorithms
present in the Java Virtual Machine.
- Rebuilt zip distribution package: remove unneeded "cli-bundle" and added icu4j
to libs.
- Added org.jasypt.spring.properties.EncryptableServletContextPropertyPlaceholderConfigurer
as a sublass of org.springframework.web.context.support.ServletContextPropertyPlaceholderConfigurer,
for transparent decryption of servlet context parameters (like the ones in web.xml).
- Added org.jasypt.spring.properties.EncryptablePreferencesPlaceholderConfigurer
as a subclass of org.springframework.beans.factory.config.PreferencesPlaceholderConfigurer,
for transparent decryption of preferences set with JDK 1.4's Preferences API.
- Added Spring Security 3 -compatible TokenBasedRememberMeServices implementation
using a Jasypt StandardStringDigester for digesting the data signature.
1.6
===
- Modified Class.forName calls to use current thread's context classloader.
- Fixed JavaDoc for Spring Security -related classes.
- Added missing registerPBE*Encryptor methods in HibernatePBEEncryptorRegistry
- Added compatibility with Spring Framework 3.0.x and Spring Security 3.0.x
- Tested compatibility with Apache Wicket 1.4.x and Hibernate 3.2.x
1.5
===
- Dependency on ICU4j made optional in Java 6 environments.
- Created new versions of old ACEGI's PasswordEncoder and PBEPasswordEncoder
for Spring Security 2.x in package org.jasypt.spring.security2.
- Random number generation algorithm can now be specified in RandomSaltGenerator.
- Fixed bug in .sh files in the bin folder. $@ did not work with inputs that
contained spaces and had to be substituted by "$@".
1.4.1
=======
- Fixed bug in EncryptedPasswordC3P0ConnectionProvider which made decryption
of datasource configuration not to work properly.
1.4
=======
- Added methods to Simple* and Environment* config classes for both Digesters
and PBEEncryptors to allow them to be configured entirely with Strings.
- Added to org.jasypt.encryption.pbe.StandardPBEByteEncryptor a workaround
for Sun JCE's bug 4953555 (http://bugs.sun.com/view_bug.do?bug_id=4953555)
- Added org.jasypt.properties.EncryptableProperties as a java.util.Properties
which allows transparent decryption of encrypted property values.
- Moved org.jasypt.hibernate.ParameterNaming to
org.jasypt.hibernate.type.ParameterNaming.
- Added org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider
and org.jasypt.hibernate.connectionprovider.EncryptedPasswordC3P0ConnectionProvider
for allowing encrypted datasource parameters in hibernate.cfg.xml
files.
- Added org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer
and org.jasypt.spring.properties.EncryptablePropertyOverrideConfigurer
to allow use of encrypted .properties files from within Spring applications
in a transparent manner.
- Package org.jasypt.springsecurity renamed as org.jasypt.spring.security, and
deprecated classes in the old package (will be removed in 1.5).
- Added org.jasypt.salt.ZeroSaltGenerator for creating salts filled with
"zero" bytes.
- Added org.jasypt.intf.service.JasyptStatelessService for supporting CLI
operation and development of stateless services (like web services) for
Jasypt.
- Added org.jasypt.intf.cli.JasyptStringDigestCLI,
org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI and
org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI to allow the execution of
digest, encryption and decryption commands from the command line, useful
for knowing which value to write in an encrypted .properties file.
- Created new zip distribution containing convenience .sh and .bat files for
executing CLI tools.
1.3.1
=======
- Solved configuration bug in "StandardPBEByteEncryptor.initialize()" for
algorithms coming from *Config objects.
1.3
=======
- DigesterConfig and PBEConfig are not Serializable anymore.
- Added provider and providerName properties to DigesterConfig and
SimpleDigesterConfig classes.
- Added providerClassName, providerName and saltGeneratorClassName
configuration at EnvironmentDigesterConfig.
- StandardByteDigester, StandardStringDigester, Digester,
and ConfigurablePasswordEncryptor can now specify the JCE security provider
(java.security.Provider implementation) which will be asked
for the digest algorithm.
- Added provider and providerName properties to PBEConfig and
SimplePBEConfig classes.
- Added providerClassName, providerName and saltGeneratorClassName
configuration at EnvironmentPBEConfig.
- StandardPBEByteEncryptor, StandardPBEStringEncryptor,
StandardPBEBigIntegerEncryptor and StandardPBEBigDecimalEncryptor can now
specify the JCE security provider (java.security.Provider
implementation) which will be asked for the digest algorithm.
- Created new StringDigesterConfig configuration interface for digesters,
which extends DigesterConfig and adds parameters "unicodeNormalizationIgnored"
and "stringOutputType". Also created new implementations
SimpleStringDigesterConfig and EnvironmentStringDigesterConfig.
- Added Unicode Normalization step to StandardStringDigester, and also
capabilities to return hexadecimal-encoded digest Strings instead of only
BASE64 ones.
- Created new StringPBEConfig configuration interface for encryptors,
which extends PBEConfig and adds parameter "stringOutputType". Also
created new implementations SimpleStringPBEConfig and
EnvironmentStringPBEConfig.
- Added capabilities to return hexadecimal-endoded Strings to
StandardPBEStringEncryptor.
- Added capabilities to return hexadecimal-endoded Strings to
ConfigurablePasswordEncryptor.
- Added to HibernatePBEStringEncryptor the possibility to set the providerName,
provider and stringOutputType parameters.
- Added providerName and stringOutputType parameters to all the String-related
Hibernate types.
- Added package org.jasypt.web.pbeconfig for configuration of PBE encryption
keys from webapps. Includes servlet, filter and contextlistener.
- Added WebPBEConfig and WebStringPBEConfig for configuration through the new
web PBE config infrastructure.
1.2
=======
- Merged jasypt-hibernate and jasypt-spring-security into main jasypt trunk.
- Package org.jasypt.util refactored.
- Created PasswordEncryptor and TextEncryptor interfaces,
to unify both basic- and strong-encryption implementations.
NOTE: the old org.jasypt.util classes have been DEPRECATED, and will be
removed in jasypt 1.3.
- Added org.jasypt.util.password.ConfigurablePasswordEncryptor for a more
configurable way of using the "easy" password encryptor.
- Added binary utils (org.jasypt.util.binary) for easy encryption of binaries.
- Added numeric encryption functionalities: new
StandardPBEBigIntegerEncryptor and StandardPBEBigDecimalEncryptor in the
org.jasypt.encryption.pbe package
- Added new org.jasypt.util.numeric package with easy utils for numeric
encryption.
- Refactored org.jasypt.hibernate classes into new "encryptor" and "type"
subpackages.
- Added HibernatePBEEncryptorRegistry support for BigInteger, BigDecimal and
Byte encryptors
- Added Hibernate type for encryption of binaries (byte[]) into SQL BLOBs
- Added Hibernate type for encryption of BigIntegers into SQL NUMERICs.
- Added Hibernate type for encryption of BigDecimals into SQL NUMERICs.
- Added Hibernate type for encryption of Bytes into SQL VARCHARs.
- Added Hibernate type for encryption of Shorts into SQL VARCHARs.
- Added Hibernate type for encryption of Integers into SQL VARCHARs.
- Added Hibernate type for encryption of Longs into SQL VARCHARs.
- Added Hibernate type for encryption of Floats into SQL VARCHARs.
- Added Hibernate type for encryption of Doubles into SQL VARCHARs.
- Added Hibernate type for encryption of Booleans into SQL VARCHARs.
- Added Hibernate type for encryption of Dates into SQL VARCHARs.
- Added Hibernate type for encryption of Calendars into SQL VARCHARs.
- Added creation of standard encryptor in Hibernate encryptor objects
so that setEncryptor() method becomes optional and hibernate encryptors
can be directly configured via setPassword, setAlgorithm, etc.
- Refactored org.jasypt.springsecurity package: created new PasswordEncoder
for use with both org.jasypt.util.password.PasswordEncryptor
or org.jasypt.digest.StringDigester implementations.
- Created new org.jasypt.springsecurity.PBEPasswordEncoder for using
org.jasypt.util.text.TextEncryptor or
org.jasypt.pbe.encryptor.PBEStringEncryptor from ACEGI Security.
- Created new salt generation infrastructure, making different implementations
of salt generation possible (including fixed salt).
1.1
=======
- Added the ACEGI (Spring Security) integration add-on
(org.jasypt.springsecurity)
- Added org.jasypt.util.StrongPasswordEncryptor as a util class for
easy password encryption using a stronger algorithm.
- Added org.jasypt.util.MessageDigester as a util class for
creating simple binary message digests.
- Added org.jasypt.digest.config.EnvironmentDigesterConfig and
org.jasypt.encryption.pbe.config.EnvironmentPBEConfig for configuration
of encryptors and digesters using environment variables and system properties.
- Objects of class org.jasypt.util.PasswordEncryptor now initialize their
internal StandardStringDigester at instance creation.
- Made org.jasypt.digest.config.DigesterConfig and
org.jasypt.encryption.pbe.config.PBEConfig extend java.io.Serializable
1.0
=======
- First release of jasypt