This is for the current trunk, for code added after 8.0.14 release. Tomcat 8.0.14 is OK. The recently added DigestCredentialHandlerBase.matchSaltIterationsEncoded() does the following: byte[] salt = HexUtils.fromHexString(hexSalt); As I mentioned in "Re: r1627000" thread on dev@, the formHexString method does not check correctness of its arguments. It shall check that a) The string length is a multiple of 2. b) All characters are valid hex digits. The current code will produce bogus results is the above conditions are not true. The DigestCredentialHandlerBase class already has facility for reporting invalid stored credentials, as controlled by its logInvalidStoredCredentials field.
This has been fixed in 8.0.x for 8.0.15 onwards.