Remove references to old 1.4 crypto stuff and indicate that fixed IVs is deprecated and will disappear next release (2.3).

Also added warning comments at the beginning to discourage use of test version of ESAPI.properties file.

Author: kwwall

src/test/resources/esapi/ESAPI.properties

@@ -1,5 +1,33 @@
 #
 # OWASP Enterprise Security API (ESAPI) Properties file -- TEST Version
+#############################################################################
+#
+#   #######                                 #     #
+#      #     ######   ####    #####         #     #  ######  #####    ####
+#      #     #       #          #           #     #  #       #    #  #
+#      #     #####    ####      #           #     #  #####   #    #   ####
+#      #     #            #     #            #   #   #       #####        #
+#      #     #       #    #     #             # #    #       #   #   #    #
+#      #     ######   ####      #              #     ######  #    #   ####
+#   
+#   This is NOT the version of ESAPI.properties that you are looking for.
+#
+#   That is over in the 'configuration/esapi/ESAPI.properties' file. You
+#   should retrieve THAT version from the official GitHub report from
+#       https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/ESAPI.properties
+#   but make sure that you select it from the 'master' branch (which will
+#   correspond to the latest official ESAPI relase). Sorry for the
+#   inconvenience. We are trying to figure out how to get it to the official
+#   "esapi-<releaseVersion>-sources.jar fiel available from Maven Central, but
+#   in the meantime, you will have to get it from GitHub.
+#
+#   PLEASE do not base your production use of ESAPI on this TEST version of
+#   ESAPI.properties as this test version has been dummed down in several places
+#   for JUnit testing.
+#
+#   You have been warned.
+#
+#############################################################################
 # 
 # This file is part of the Open Web Application Security Project (OWASP)
 # Enterprise Security API (ESAPI) project. For details, please see
@@ -32,14 +60,6 @@
 # file-based implementations, that some files may need to be read-write as they
 # get updated dynamically.
 #
-# Before using, be sure to update the MasterKey and MasterSalt as described below.
-# N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4,
-#		you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired)
-#		re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be
-#		able to decrypt your data with ESAPI 2.0.
-#
-#		YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes.
-#
 #===========================================================================
 # ESAPI Configuration
 #
@@ -134,21 +154,6 @@ Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
 # unlimited strength policy files and install in the lib directory of your JRE/JDK.
 # See http://java.sun.com/javase/downloads/index.jsp for more information.
 #
-# Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API
-# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever
-# possible, these methods should be avoided as they use ECB cipher mode, which in almost
-# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default
-# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0.  In general, you
-# should only use this compatibility setting if you have persistent data encrypted with
-# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL
-# you have decrypted all of your old encrypted data and then re-encrypted it with
-# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode
-# with the new 2.0 methods, make sure that you use the same cipher algorithm for both
-# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for
-# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods
-# where you can specify a SecretKey. (Note that if you are using the 256-bit AES,
-# that requires downloading the special jurisdiction policy files mentioned above.)
-#
 #		***** IMPORTANT: These are for JUnit testing. Test files may have been
 #						 encrypted using these values so do not change these or
 #						 those tests will fail. The version under
@@ -252,10 +257,9 @@ Encryptor.cipher_modes.additional_allowed=CBC,ECB
 # cipher transformation, otherwise this will be ignored after logging a
 # warning.
 #
-# NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!
 Encryptor.EncryptionKeyLength=128
 
-# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
+# Because 2.x uses CBC mode by default, it requires an initialization vector (IV).
 # (All cipher modes except ECB require an IV.) There are two choices: we can either
 # use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
 # the IV does not need to be hidden from adversaries, it is important that the
@@ -266,17 +270,25 @@ Encryptor.EncryptionKeyLength=128
 # IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
 # uncomment the Encryptor.fixedIV.
 #
-# Valid values:		random|fixed|specified		'specified' not yet implemented; planned for 2.1
+# Valid values:		random|fixed|specified		'specified' not yet implemented; planned for 2.3
+#                                               'fixed' is deprecated as of 2.2
+#                                               and will be removed in 2.3.
 Encryptor.ChooseIVMethod=random
+
+
 # If you choose to use a fixed IV, then you must place a fixed IV here that
 # is known to all others who are sharing your secret key. The format should
 # be a hex string that is the same length as the cipher block size for the
-# cipher algorithm that you are using. The following is an example for AES
+# cipher algorithm that you are using. The following is an *example* for AES
 # from an AES test vector for AES-128/CBC as described in:
 # NIST Special Publication 800-38A (2001 Edition)
 # "Recommendation for Block Cipher Modes of Operation".
 # (Note that the block size for AES is 16 bytes == 128 bits.)
 #
+#   @Deprecated -- fixed IVs are deprecated as of the 2.2 release and support
+#                  will be removed in the next release (tentatively, 2.3).
+#                  If you MUST use this, at least replace this IV with one
+#                  that your legacy application was using.
 Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
 
 # Whether or not CipherText should use a message authentication code (MAC) with it.