[JENKINS-58734] Use SHA-256 for crumbs (#4134)

* [JENKINS-58734] Use SHA-256 for crumbs
Signed-off-by: NMatt Sicker <boards@gmail.com>

* Use SHA-256 more consistently
Signed-off-by: NMatt Sicker <boards@gmail.com>

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java

@@ -49,14 +49,8 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
 
     @DataBoundConstructor
     public DefaultCrumbIssuer(boolean excludeClientIPFromCrumb) {
-        try {
-            this.md = MessageDigest.getInstance("MD5");
-            this.excludeClientIPFromCrumb = excludeClientIPFromCrumb;
-        } catch (NoSuchAlgorithmException e) {
-            this.md = null;
-            this.excludeClientIPFromCrumb = false;
-            LOGGER.log(Level.SEVERE, "Can't find MD5", e);
-        }
+        this.excludeClientIPFromCrumb = excludeClientIPFromCrumb;
+        initializeMessageDigest();
     }
 
     public boolean isExcludeClientIPFromCrumb() {
@@ -64,14 +58,17 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
     }
     
     private Object readResolve() {
+        initializeMessageDigest();
+        return this;
+    }
+
+    private void initializeMessageDigest() {
         try {
-            this.md = MessageDigest.getInstance("MD5");
+            md = MessageDigest.getInstance("SHA-256");
         } catch (NoSuchAlgorithmException e) {
-            this.md = null;
-            LOGGER.log(Level.SEVERE, "Can't find MD5", e);
+            md = null;
+            LOGGER.log(Level.SEVERE, e, () -> "Cannot find SHA-256 MessageDigest implementation.");
         }
-        
-        return this;
     }
     
     /**