Change ESAPI crypto to support hex-encoding of crypto keys

[meg23]

From [email protected] on August 23, 2012 12:52:19

Currently (in ESAPI 2.0.1 and earlier), the Encryptor.MasterKey and Encryptor.MasterSalt are both generated and stored in bas64-encoded format.

Hex-encoding is more conventional for crypto related items (keys, IVs, etc.).

This is a new feature request to:

1. Generate new Encryptor.MasterKey and Encryptor.MasterSalt via hex-encoding.
2. To support both hex-encoding and base64-encoding in reading properties Encryptor.MasterKey and Encryptor.MasterSalt from an existing ESAPI.properties file. (We need to continue to support base64-encoding for backward compatibility reasons.)

Besides being more conventional, advantage of hex format is that it is trivial to trim (say) a 256-bit key to turn it into a 128-bit.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=284

[kwwall]

The strategy here should be for new versions of ESAPI to always create the Encryptor.MasterKey and Encryptor.MasterSalt as hex-encoded values and when it comes to decoding, first try hex-decoding and only try base64 decoding if the hex decoding fails.