SEC-1764: Ensure password encoders use UTF-8 charset when creating strings from byte arrays.

core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java

@@ -16,12 +16,12 @@
 package org.springframework.security.authentication.encoding;
 
 
-import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
-
 import org.springframework.security.core.codec.Base64;
+import org.springframework.security.core.codec.Utf8;
 import org.springframework.util.Assert;
 
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
 
 /**
  * A version of {@link ShaPasswordEncoder} which supports Ldap SHA and SSHA (salted-SHA) encodings. The values are
@@ -101,7 +101,7 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
             prefix = forceLowerCasePrefix ? SSHA_PREFIX_LC : SSHA_PREFIX;
         }
 
-        return prefix + new String(Base64.encode(hash));
+        return prefix + Utf8.decode(Base64.encode(hash));
     }
 
     private byte[] extractSalt(String encPass) {

core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java

@@ -14,10 +14,11 @@
  */
 package org.springframework.security.authentication.encoding;
 
-import java.io.UnsupportedEncodingException;
-
 import org.springframework.security.core.codec.Base64;
 import org.springframework.security.core.codec.Hex;
+import org.springframework.security.core.codec.Utf8;
+
+import java.io.UnsupportedEncodingException;
 
 /**
  * MD4 implementation of PasswordEncoder.
@@ -60,7 +61,7 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder {
         byte[] resBuf = md4.digest();
 
         if (getEncodeHashAsBase64()) {
-            return new String(Base64.encode(resBuf));
+            return Utf8.decode(Base64.encode(resBuf));
         } else {
             return new String(Hex.encode(resBuf));
         }

core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java

@@ -1,13 +1,14 @@
 package org.springframework.security.authentication.encoding;
 
-import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-
 import org.springframework.security.core.codec.Base64;
 import org.springframework.security.core.codec.Hex;
+import org.springframework.security.core.codec.Utf8;
 import org.springframework.util.Assert;
 
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
 /**
  * Base for digest password encoders.
  * <p>
@@ -92,7 +93,7 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
         }
 
         if (getEncodeHashAsBase64()) {
-            return new String(Base64.encode(digest));
+            return Utf8.decode(Base64.encode(digest));
         } else {
             return new String(Hex.encode(digest));
         }