SEC-728: Change use of String.getBytes() in password encoders to use UTF-8

core/src/main/java/org/springframework/security/providers/encoding/Md4PasswordEncoder.java

@@ -14,6 +14,8 @@
  */
 package org.springframework.security.providers.encoding;
 
+import java.io.UnsupportedEncodingException;
+
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 
@@ -43,8 +45,18 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder {
 	 */
 	public String encodePassword(String rawPass, Object salt) {
 		String saltedPass = mergePasswordAndSalt(rawPass, salt, false);
+		
+		byte[] passBytes;
+
+		try {
+			passBytes = saltedPass.getBytes("UTF-8");
+		} catch (UnsupportedEncodingException e) {
+			throw new IllegalStateException("UTF-8 not supported!", e);
+		}
+		
 		Md4 md4 = new Md4();
-		md4.update(saltedPass.getBytes(), 0, saltedPass.length());
+		md4.update(passBytes, 0, saltedPass.length());
+		
 		byte[] resBuf = md4.digest();
 
 		if (getEncodeHashAsBase64()) {

core/src/main/java/org/springframework/security/providers/encoding/MessageDigestPasswordEncoder.java

@@ -3,6 +3,7 @@ package org.springframework.security.providers.encoding;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 
+import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 
@@ -72,7 +73,13 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
 
         MessageDigest messageDigest = getMessageDigest();
 
-        byte[] digest = messageDigest.digest(saltedPass.getBytes());
+        byte[] digest;
+		
+        try {
+			digest = messageDigest.digest(saltedPass.getBytes("UTF-8"));
+		} catch (UnsupportedEncodingException e) {
+			throw new IllegalStateException("UTF-8 not supported!");
+		}
 
         if (getEncodeHashAsBase64()) {
             return new String(Base64.encodeBase64(digest));

core/src/main/java/org/springframework/security/providers/ldap/authenticator/LdapShaPasswordEncoder.java

@@ -22,6 +22,7 @@ import org.apache.commons.codec.binary.Base64;
 
 import org.springframework.util.Assert;
 
+import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 
 
@@ -82,11 +83,12 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
 
         try {
             sha = MessageDigest.getInstance("SHA");
+            sha.update(rawPass.getBytes("UTF-8"));
         } catch (java.security.NoSuchAlgorithmException e) {
             throw new IllegalStateException("No SHA implementation available!", e);
-        }
-
-        sha.update(rawPass.getBytes());
+		} catch (UnsupportedEncodingException ue) {
+			throw new IllegalStateException("UTF-8 not supported!", ue);
+		}
 
         if (salt != null) {
             Assert.isInstanceOf(byte[].class, salt, "Salt value must be a byte array");