Skip to content
Flag of Europe
Made in the European Union · Independently built · Released under EUPL 1.2
Documentation
Roadmap
v00.71.00 — Delivered

v00.71.00 — Delivered

✅ Delivered. The credential-security stack ships on Maven Central as part of the 00.72.00 release line (the latest published version). Phases 1a–5 are complete (35 of 36 prompts, all GPG-signed). Usage: Credential Hardening, Compliance & CWE Coverage.

Theme

00.70.00 closed the integration layer (multi-tenancy, persistence, policy, method security, account lifecycle). v00.71.00 goes deep on one thing: credentials. It replaces the experimental boolean PasswordHasher with a full, standards-aligned credential-security stack — pluggable hashing, peppering, lifecycle, reset, abuse detection and breached-password checks — built against OWASP ASVS V2, NIST SP 800-63B and 40 CWE weakness classes.

The full as-designed feature tour lives in Credential Hardening; the standards mapping is in Compliance & CWE Coverage; the draft change list is in the 00.71.00 release notes.

What it delivers

  • Pluggable hashing — JDK-only PBKDF2 core (OWASP-2023 floor) plus an opt-in security-crypto-bc module adding Argon2id / bcrypt / scrypt (BouncyCastle lightweight API, no global JCA mutation).
  • Self-describing envelope $pwh$v=1$… carrying algorithm, provider, policy version and pepper key — enabling crypto-agility and rehash-on-verify.
  • Post-KDF HMAC pepper with multi-key rotation, held separately from the hash database.
  • Sealed verification results — no boolean branching; unknown-user timing flattened via verifyAgainstNothing(...).
  • SecretValue (AutoCloseable) + Unicode-aware input hygiene.
  • CredentialStore with compare-and-swap, an 8-state lifecycle, atomic password change (mandatory re-auth), single-use selector/verifier reset.
  • Abuse detection — multi-dimensional sliding window (username / client-address / tenant / global), stuffing / spraying / reset detectors, context-aware password validation, optional history.
  • Breached-password checkCompromisedPasswordChecker SPI with an opt-in security-credentials-hibp module (Have I Been Pwned via k-anonymity; plaintext never leaves the JVM).
  • Operations — FIPS profile, SBOM / PKCS#11 HSM docs, emergency playbooks + EmergencyPolicyOverride + MassCredentialStatusChange.
  • Compliance — ASVS V2 / NIST SP 800-63B / CWE traceability matrix.

New modules

ModuleOpt-inThird-party deps
security-crypto-bcyesorg.bouncycastle:bcprov-jdk18on:1.78.1
security-credentials-hibpyesnone (JDK HttpClient)

security-core stays JDK-only.

Status

  • Phases 1a–5 complete on develop (35 of 36 prompts).
  • Prompt 036 (optional foreign-hash import for brownfield adoption) is deliberately deferred.
  • Two new modules ship at a first-PIT coverage profile; uplift is tracked for V00.72.

Source

Konzept-V00.71.00.md in the project repository is the canonical design document.

v00.70.00 — Deliveredv00.72.00 — Delivered