ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Geuer-Pollmann <maill...@nue.et-inf.uni-siegen.de>
Subject Cryptographic Hash function from ant
Date Wed, 10 Apr 2002 10:46:03 GMT
Hi all,

I don't know whether this is the right place, but I wanted to ask whether 
it's interesting to include an additional ant task for cryptographic 
message digests:

In the Apache xml-security project, I had the problem that I have to 
download a JAR containing a cryptographic software from a 3rd party site 
because of US export regulations. To make sure that my users get the right 
JAR (that it has not been modified in any way), I wanted to include 
cryptographic message digests into the build.

This is done using the both classes HexDump.java and Md5Task.java from [1]. 
HexDump allows for converting hex strings into byte[]s and vice versa, 
Md5Task allows to create MD5 and SHA1 digests. The usage is quiete simple. 
I added a taskdef for my new target

<taskdef name="md5" classname="ant.Md5Task"/>

and then I tell which Md5 or SHA1 hash value a given file must have:

<target name="check-bc"
        depends="get-jce"
        description="This target checks that the digest
                     values of the JCE library are valid">

      <!-- http://www.bouncycastle.org/checksums.html -->
<md5 Md5="eeb940217876bcd83a55d799ee5db7ca"
     Sha1="106e97a5ad7a57aa2cbc48074db80225d3c0972a"
     file="${lib.jce}" />
</target>

If the check fails (if the integrity of the file is corrupted by a 
transport problem, a version problem or an attacker), the build is aborted:

check-bc:
      [md5] Warning!!!
      [md5] The SHA1 hash value of ./libs/bc-jce-jdk13-112.jar is corrupted:
      [md5]    was           4A CC 52 C2 4A 41 79 A6 63 07 FB E4 3C EB E1 
39 0D 96 C2 B8
      [md5]    but should be 10 6E 97 A5 AD 7A 57 AA 2C BC 48 07 4D B8 02 
25 D3 C0 97 2A
      [md5]
      [md5] The MD5 hash value of ./libs/bc-jce-jdk13-112.jar is corrupted:
      [md5]    was           85 02 FC AF 26 1D 2C E9 87 E5 FF ED 2F 81 34 CB
      [md5]    but should be EE B9 40 21 78 76 BC D8 3A 55 D7 99 EE 5D B7 CA
      [md5]

BUILD FAILED

Otherwise, it'll simply pass:

check-bc:
      [md5] The hash values of ./libs/bc-jce-jdk13-112.jar are OK


Regards,
Christian

BTW, it could be a nice feature to deploy signed build.xml files so that it 
can be verified whether the build.xml is OK, too.

[1] http://cvs.apache.org/viewcvs.cgi/xml-security/src/ant/

--
To unsubscribe, e-mail:   <mailto:ant-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:ant-dev-help@jakarta.apache.org>


Mime
View raw message