harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Zhang" <zhanghuang...@gmail.com>
Subject Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Date Wed, 13 Sep 2006 03:47:24 GMT
On 9/13/06, Richard Liang <richard.liangyx@gmail.com> wrote:

> After two-day struggling with JarFile, ObjectInputStream and
> MessageDigest, in the end, I have identified the root cause. And now I
> have two panda-eyes[1] ;-)


Interesting!



> It seems a bug of
> org.apache.harmony.security.provider.crypto.SHA1Impl.  As I have no
> idea about SHA1. Could any one have a look at this problem?
>
> The following test case passes on RI, but fails on Harmony.
>
>    public void testUpdate() throws NoSuchAlgorithmException {
>        byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
>        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
>        byte[] digest1 = sha1.digest();
>        byte b = 0x04;
>        sha1.update(b);
>
>        for (int i = 0; i < bytes.length; i++) {
>            sha1.update(bytes[i]);
>        }
>        byte[] digest2 = sha1.digest();
>
>        sha1.reset();
>        byte[] digest3 = sha1.digest();
>        assertTrue(MessageDigest.isEqual(digest1, digest3));
>
>        sha1.update(b);
>        sha1.update(bytes, 0, bytes.length);
>        byte[] digest4 = sha1.digest();
>
>        assertTrue(MessageDigest.isEqual(digest2, digest4));
>    }


Interesting bug too!

I'm not clear about sha1 alogrithm, but guess whether following code causes
the bug:

 for ( ; ( i <= toByte ) && ( byteIndex < 4 ) ; i++ ) {  // andrew comment :
The break condition is either 1. byteIndex == 4 or 2. i > toByte
                intArray[wordIndex] |= ( byteInput[i] & 0xFF ) << ((3 -
byteIndex)<<3) ;
                byteIndex++;
            }
            if ( byteIndex == 4 ) { // andrew comment: break condition 1
                wordIndex++;
                if ( wordIndex == 16 ) {          // intArray is full,
computing hash

                    computeHash(intArray);
                    wordIndex = 0;
                }
            }
            if ( i >= toByte ) {                 // all input bytes
appended

// andrew comment: is it break condition 2? or it should be (i > toByte) ?
p.s: all tests could pass if using i > toByte.
                return ;
            }
Of course, I could be totally wrong. Let security guys fix the problem. I
don't want to have panda eyes too as Richard. :-)



> [1]http://www.panda.org.cn/zhuye/bbe.jpg
>
> Best regards,
> Richard
>
> On 9/11/06, Richard Liang <richard.liangyx@gmail.com> wrote:
> > On 9/9/06, Geir Magnusson Jr. <geir@pobox.com> wrote:
> > > I was trying the latest snapshot with the JBoss installer (4.0.1) and
> > > found a problem processing the SHA signatures int the jar manifest.
> > >
> > > I've entered a JIRA - HARMONY-1412
> > >
> >
> > I will have a look at it. ;-)
> >
> > > geir
> > >
> > > ---------------------------------------------------------------------
> > > Terms of use : http://incubator.apache.org/harmony/mailing.html
> > > To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org
> > > For additional commands, e-mail: harmony-dev-help@incubator.apache.org
> > >
> > >
> >
> >
> > --
> > Richard Liang
> > China Software Development Lab, IBM
> >
>
>
> --
> Richard Liang
> China Development Lab, IBM
>
> ---------------------------------------------------------------------
> Terms of use : http://incubator.apache.org/harmony/mailing.html
> To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org
> For additional commands, e-mail: harmony-dev-help@incubator.apache.org
>
>


-- 
Andrew Zhang
China Software Development Lab, IBM

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message