jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Mueller (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-4115) Don't use SHA-1 for new DataStore binaries (Jackrabbit)
Date Fri, 24 Feb 2017 13:58:44 GMT

    [ https://issues.apache.org/jira/browse/JCR-4115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15882713#comment-15882713
] 

Thomas Mueller commented on JCR-4115:
-------------------------------------

Patch for the test case, with generator function

{noformat}
--- src/test/java/org/apache/jackrabbit/core/data/DataStoreTest.java	(revision 1784247)
+++ src/test/java/org/apache/jackrabbit/core/data/DataStoreTest.java	(working copy)
@@ -24,12 +24,19 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import java.security.DigestOutputStream;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.sql.DriverManager;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Random;
 
 /**
@@ -103,14 +110,35 @@
         }
     }
 
+    public static void main(String... args) throws NoSuchAlgorithmException {
+        // create and print a "directory-collision", that is, two byte arrays
+        // where the hash starts with the same bytes
+        // those values can be used for testDeleteRecordWithParentCollision
+        HashMap<Long, Long> map = new HashMap<Long, Long>();
+        MessageDigest digest = MessageDigest.getInstance("SHA-256");
+        ByteBuffer input = ByteBuffer.allocate(8);
+        byte[] array = input.array();
+        for(long x = 0;; x++) {
+            input.putLong(x).flip();
+            long h = ByteBuffer.wrap(digest.digest(array)).getLong();
+            Long old = map.put(h & 0xffffffffff000000L, x);
+            if (old != null) {
+                System.out.println(Long.toHexString(old) + " " + Long.toHexString(x));
+                break;
+            }
+        }
+    }
+
     public void testDeleteRecordWithParentCollision() throws Exception {
         FileDataStore fds = new FileDataStore();
         fds.init(testDir + "/fileDeleteCollision");
 
-        String c1 = "06b2f82fd81b2c20";
-        String c2 = "02c60cb75083ceef";
-        DataRecord d1 = fds.addRecord(IOUtils.toInputStream(c1));
-        DataRecord d2 = fds.addRecord(IOUtils.toInputStream(c2));
+        ByteArrayInputStream c1 = new ByteArrayInputStream(ByteBuffer
+                .allocate(8).putLong(0x181c7).array());
+        ByteArrayInputStream c2 = new ByteArrayInputStream(ByteBuffer
+                .allocate(8).putLong(0x11fd78).array());
+        DataRecord d1 = fds.addRecord(c1);
+        DataRecord d2 = fds.addRecord(c2);
         fds.deleteRecord(d1.getIdentifier());
         DataRecord testRecord = fds.getRecordIfStored(d2.getIdentifier());
{noformat}

> Don't use SHA-1 for new DataStore binaries (Jackrabbit)
> -------------------------------------------------------
>
>                 Key: JCR-4115
>                 URL: https://issues.apache.org/jira/browse/JCR-4115
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>            Reporter: Thomas Mueller
>              Labels: candidate_jcr_2_10, candidate_jcr_2_12, candidate_jcr_2_14, candidate_jcr_2_4,
candidate_jcr_2_6, candidate_jcr_2_8
>         Attachments: JCR-4115.patch
>
>
> A collision for SHA-1 has been published. We still use SHA-1 for the FileDataStore, and
I believe the S3 DataStore right now. Given there is a collision, we should switch to a stronger
algorithm, for example SHA-256, for new binaries.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message