harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jimmy, Jing Lv" <firep...@gmail.com>
Subject Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Date Wed, 13 Sep 2006 03:57:28 GMT
Richard Liang wrote:
> After two-day struggling with JarFile, ObjectInputStream and
> MessageDigest, in the end, I have identified the root cause. And now I
> have two panda-eyes[1] ;-)
> 
> It seems a bug of
> org.apache.harmony.security.provider.crypto.SHA1Impl.  As I have no
> idea about SHA1. Could any one have a look at this problem?
> 
> The following test case passes on RI, but fails on Harmony.
> 
>    public void testUpdate() throws NoSuchAlgorithmException {
>        byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
>        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
>        byte[] digest1 = sha1.digest();
>        byte b = 0x04;
>        sha1.update(b);
> 
>        for (int i = 0; i < bytes.length; i++) {
>            sha1.update(bytes[i]);
>        }
>        byte[] digest2 = sha1.digest();
> 
>        sha1.reset();
>        byte[] digest3 = sha1.digest();
>        assertTrue(MessageDigest.isEqual(digest1, digest3));
> 
>        sha1.update(b);
>        sha1.update(bytes, 0, bytes.length);
>        byte[] digest4 = sha1.digest();
> 
>        assertTrue(MessageDigest.isEqual(digest2, digest4));
>    }
> 
> [1]http://www.panda.org.cn/zhuye/bbe.jpg
> 

Poor Richard! Looking for a needle in a bottle of hay, right? ;)

A closer study on SHA1Impl, I find these lines(line 194) may be wrong:
for ( ; ( i <= toByte ) && ( byteIndex < 4 ) ; i++ ) { // *NOTE* it use 

                                                        // "<=" here
      intArray[wordIndex] |=
	( byteInput[i] & 0xFF ) << ((3 - byteIndex)<<3) ;
      byteIndex++;
}
if ( byteIndex == 4 ) {
      wordIndex++;
      if ( wordIndex == 16 ) {
           computeHash(intArray);
           wordIndex = 0;
      }
}
if ( i >= toByte ) {       // *NOTE* it use ">=" here
      return ;
}
Though I don't know SHA1 well, I guess it must be ">" in the line of 
second *NOTE*.

This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is, 
input byte number is 4). The first circle inputs 3 bytes into array, 
leaving the last byte for next step. But at that time i==toByte, so the 
last byte is omitted, which is properly an mistake.

Change it to "if (i > toByte)" will solve the problem, I've run all 
tests, including Richard's test, and they all passes. It'll be better 
someone knows SHA1 check it.

If no objection, we can create a patch.

> Best regards,
> Richard
> 
> On 9/11/06, Richard Liang <richard.liangyx@gmail.com> wrote:
>> On 9/9/06, Geir Magnusson Jr. <geir@pobox.com> wrote:
>> > I was trying the latest snapshot with the JBoss installer (4.0.1) and
>> > found a problem processing the SHA signatures int the jar manifest.
>> >
>> > I've entered a JIRA - HARMONY-1412
>> >
>>
>> I will have a look at it. ;-)
>>
>> > geir
>> >
>> > ---------------------------------------------------------------------
>> > Terms of use : http://incubator.apache.org/harmony/mailing.html
>> > To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org
>> > For additional commands, e-mail: harmony-dev-help@incubator.apache.org
>> >
>> >
>>
>>
>> -- 
>> Richard Liang
>> China Software Development Lab, IBM
>>
> 
> 


-- 

Best Regards!

Jimmy, Jing Lv
China Software Development Lab, IBM

---------------------------------------------------------------------
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org
For additional commands, e-mail: harmony-dev-help@incubator.apache.org


Mime
View raw message