harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yuri Kropachev" <yurikropac...@gmail.com>
Subject Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Date Wed, 13 Sep 2006 10:31:50 GMT
Collegues, thanks a lot for identifying the bug !!!

The fix you propose is correct.



Thanks,

Yuri


> Nice work all. You guys are amazing. Definitely create that patch and

> attach to the initial JIRA.

> geir

> Jimmy, Jing Lv wrote:

>> Richard Liang wrote:

>>> After two-day struggling with JarFile, ObjectInputStream and

>>> MessageDigest, in the end, I have identified the root cause. And now I

>>> have two panda-eyes[1] ;-)

>>>

>>> It seems a bug of

>>> org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no

>>> idea about SHA1. Could any one have a look at this problem?

>>>

>>> The following test case passes on RI, but fails on Harmony.

>>>

>>> public void testUpdate() throws NoSuchAlgorithmException {

>>> byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};

>>> MessageDigest sha1 = MessageDigest.getInstance("SHA1");

>>> byte[] digest1 = sha1.digest();

>>> byte b = 0x04;

>>> sha1.update(b);

>>>

>>> for (int i = 0; i < bytes.length; i++) {

>>> sha1.update(bytes[i]);

>>> }

>>> byte[] digest2 = sha1.digest();

>>>

>>> sha1.reset();

>>> byte[] digest3 = sha1.digest();

>>> assertTrue(MessageDigest.isEqual(digest1, digest3));

>>>

>>> sha1.update(b);

>>> sha1.update(bytes, 0, bytes.length);

>>> byte[] digest4 = sha1.digest();

>>>

>>> assertTrue(MessageDigest.isEqual(digest2, digest4));

>>> }

>>>

>>> [1]http://www.panda.org.cn/zhuye/bbe.jpg

>>>

>>

>> Poor Richard! Looking for a needle in a bottle of hay, right? ;)

>>

>> A closer study on SHA1Impl, I find these lines(line 194) may be wrong:

>> for ( ; ( i <= toByte ) && ( byteIndex < 4 ) ; i++ ) { // *NOTE* it
use

>> // "<=" here

>> intArray[wordIndex] |=

>> ( byteInput[i] & 0xFF ) << ((3 - byteIndex)<<3) ;

>> byteIndex++;

>> }

>> if ( byteIndex == 4 ) {

>> wordIndex++;

>> if ( wordIndex == 16 ) {

>> computeHash(intArray);

>> wordIndex = 0;

>> }

>> }

>> if ( i >= toByte ) { // *NOTE* it use ">=" here

>> return ;

>> }

>> Though I don't know SHA1 well, I guess it must be ">" in the line of

>> second *NOTE*.

>>

>> This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is,

>> input byte number is 4). The first circle inputs 3 bytes into array,

>> leaving the last byte for next step. But at that time i==toByte, so the

>> last byte is omitted, which is properly an mistake.

>>

>> Change it to "if (i > toByte)" will solve the problem, I've run all

>> tests, including Richard's test, and they all passes. It'll be better

>> someone knows SHA1 check it.

>>

>> If no objection, we can create a patch.

>>

>>> Best regards,

>>> Richard

>>>

>>>> On 9/11/06, Richard Liang <richard.liangyx@gmail.com> wrote:

>>>> On 9/9/06, Geir Magnusson Jr. <geir@pobox.com> wrote:

>>>> > I was trying the latest snapshot with the JBoss installer (4.0.1) and

>>>> > found a problem processing the SHA signatures int the jar manifest.

>>>> >

>>>> > I've entered a JIRA - HARMONY-1412

>>>> >

>>>>

>>>> I will have a look at it. ;-)

>>>>

>>>> > geir

>>>> >

>>>> > ---------------------------------------------------------------------

>>>> > Terms of use :
*http://incubator.apache.org/harmony/mailing.html*<http://incubator.apache.org/harmony/mailing.html>

>>>> > To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org

>>>> > For additional commands, e-mail:
harmony-dev-help@incubator.apache.org

>>>> >

>>>> >

>>>>

>>>>

>>>> --

>>>> Richard Liang

>>>> China Software Development Lab, IBM

>>>>

>>>

>>>

>>

>>

> ---------------------------------------------------------------------

> Terms of use :
*http://incubator.apache.org/harmony/mailing.html*<http://incubator.apache.org/harmony/mailing.html>

> To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org

> For additional commands, e-mail: harmony-dev-help@incubator.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message