Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Geir Magnusson Jr. wrote:
Nice work all. You guys are amazing. Definitely create that patch and
attach to the initial JIRA.
yep -- cool to see that get worked on by a number of people in the
community. A tricky bug too, so good teamwork!
Regards,
Tim
Jimmy, Jing Lv wrote:
Richard Liang wrote:
After two-day struggling with JarFile, ObjectInputStream and
MessageDigest, in the end, I have identified the root cause. And now I
have two panda-eyes[1] ;-)
It seems a bug of
org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no
idea about SHA1. Could any one have a look at this problem?
The following test case passes on RI, but fails on Harmony.
public void testUpdate() throws NoSuchAlgorithmException {
byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
MessageDigest sha1 = MessageDigest.getInstance(SHA1);
byte[] digest1 = sha1.digest();
byte b = 0x04;
sha1.update(b);
for (int i = 0; i bytes.length; i++) {
sha1.update(bytes[i]);
}
byte[] digest2 = sha1.digest();
sha1.reset();
byte[] digest3 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest1, digest3));
sha1.update(b);
sha1.update(bytes, 0, bytes.length);
byte[] digest4 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest2, digest4));
}
[1]http://www.panda.org.cn/zhuye/bbe.jpg
Poor Richard! Looking for a needle in a bottle of hay, right? ;)
A closer study on SHA1Impl, I find these lines(line 194) may be wrong:
for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // *NOTE* it use
// = here
intArray[wordIndex] |=
( byteInput[i] 0xFF ) ((3 - byteIndex)3) ;
byteIndex++;
}
if ( byteIndex == 4 ) {
wordIndex++;
if ( wordIndex == 16 ) {
computeHash(intArray);
wordIndex = 0;
}
}
if ( i = toByte ) { // *NOTE* it use = here
return ;
}
Though I don't know SHA1 well, I guess it must be in the line of
second *NOTE*.
This bug happens when byteIndex==1, and fromByte==0, toByte==3(that
is, input byte number is 4). The first circle inputs 3 bytes into
array, leaving the last byte for next step. But at that time
i==toByte, so the last byte is omitted, which is properly an mistake.
Change it to if (i toByte) will solve the problem, I've run all
tests, including Richard's test, and they all passes. It'll be better
someone knows SHA1 check it.
If no objection, we can create a patch.
Best regards,
Richard
On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote:
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
I was trying the latest snapshot with the JBoss installer (4.0.1) and
found a problem processing the SHA signatures int the jar manifest.
I've entered a JIRA - HARMONY-1412
I will have a look at it. ;-)
geir
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
--
Richard Liang
China Software Development Lab, IBM
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Tim Ellison ([EMAIL PROTECTED])
IBM Java technology centre, UK.
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Collegues, thanks a lot for identifying the bug !!!
The fix you propose is correct.
Thanks,
Yuri
Nice work all. You guys are amazing. Definitely create that patch and
attach to the initial JIRA.
geir
Jimmy, Jing Lv wrote:
Richard Liang wrote:
After two-day struggling with JarFile, ObjectInputStream and
MessageDigest, in the end, I have identified the root cause. And now I
have two panda-eyes[1] ;-)
It seems a bug of
org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no
idea about SHA1. Could any one have a look at this problem?
The following test case passes on RI, but fails on Harmony.
public void testUpdate() throws NoSuchAlgorithmException {
byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
MessageDigest sha1 = MessageDigest.getInstance(SHA1);
byte[] digest1 = sha1.digest();
byte b = 0x04;
sha1.update(b);
for (int i = 0; i bytes.length; i++) {
sha1.update(bytes[i]);
}
byte[] digest2 = sha1.digest();
sha1.reset();
byte[] digest3 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest1, digest3));
sha1.update(b);
sha1.update(bytes, 0, bytes.length);
byte[] digest4 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest2, digest4));
}
[1]http://www.panda.org.cn/zhuye/bbe.jpg
Poor Richard! Looking for a needle in a bottle of hay, right? ;)
A closer study on SHA1Impl, I find these lines(line 194) may be wrong:
for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // *NOTE* it use
// = here
intArray[wordIndex] |=
( byteInput[i] 0xFF ) ((3 - byteIndex)3) ;
byteIndex++;
}
if ( byteIndex == 4 ) {
wordIndex++;
if ( wordIndex == 16 ) {
computeHash(intArray);
wordIndex = 0;
}
}
if ( i = toByte ) { // *NOTE* it use = here
return ;
}
Though I don't know SHA1 well, I guess it must be in the line of
second *NOTE*.
This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is,
input byte number is 4). The first circle inputs 3 bytes into array,
leaving the last byte for next step. But at that time i==toByte, so the
last byte is omitted, which is properly an mistake.
Change it to if (i toByte) will solve the problem, I've run all
tests, including Richard's test, and they all passes. It'll be better
someone knows SHA1 check it.
If no objection, we can create a patch.
Best regards,
Richard
On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote:
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
I was trying the latest snapshot with the JBoss installer (4.0.1) and
found a problem processing the SHA signatures int the jar manifest.
I've entered a JIRA - HARMONY-1412
I will have a look at it. ;-)
geir
-
Terms of use :
*http://incubator.apache.org/harmony/mailing.html*http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
--
Richard Liang
China Software Development Lab, IBM
-
Terms of use :
*http://incubator.apache.org/harmony/mailing.html*http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
After two-day struggling with JarFile, ObjectInputStream and
MessageDigest, in the end, I have identified the root cause. And now I
have two panda-eyes[1] ;-)
It seems a bug of
org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no
idea about SHA1. Could any one have a look at this problem?
The following test case passes on RI, but fails on Harmony.
public void testUpdate() throws NoSuchAlgorithmException {
byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
MessageDigest sha1 = MessageDigest.getInstance(SHA1);
byte[] digest1 = sha1.digest();
byte b = 0x04;
sha1.update(b);
for (int i = 0; i bytes.length; i++) {
sha1.update(bytes[i]);
}
byte[] digest2 = sha1.digest();
sha1.reset();
byte[] digest3 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest1, digest3));
sha1.update(b);
sha1.update(bytes, 0, bytes.length);
byte[] digest4 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest2, digest4));
}
[1]http://www.panda.org.cn/zhuye/bbe.jpg
Best regards,
Richard
On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote:
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
I was trying the latest snapshot with the JBoss installer (4.0.1) and
found a problem processing the SHA signatures int the jar manifest.
I've entered a JIRA - HARMONY-1412
I will have a look at it. ;-)
geir
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Richard Liang
China Software Development Lab, IBM
--
Richard Liang
China Development Lab, IBM
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
On 9/13/06, Richard Liang [EMAIL PROTECTED] wrote:
After two-day struggling with JarFile, ObjectInputStream and
MessageDigest, in the end, I have identified the root cause. And now I
have two panda-eyes[1] ;-)
Interesting!
It seems a bug of
org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no
idea about SHA1. Could any one have a look at this problem?
The following test case passes on RI, but fails on Harmony.
public void testUpdate() throws NoSuchAlgorithmException {
byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
MessageDigest sha1 = MessageDigest.getInstance(SHA1);
byte[] digest1 = sha1.digest();
byte b = 0x04;
sha1.update(b);
for (int i = 0; i bytes.length; i++) {
sha1.update(bytes[i]);
}
byte[] digest2 = sha1.digest();
sha1.reset();
byte[] digest3 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest1, digest3));
sha1.update(b);
sha1.update(bytes, 0, bytes.length);
byte[] digest4 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest2, digest4));
}
Interesting bug too!
I'm not clear about sha1 alogrithm, but guess whether following code causes
the bug:
for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // andrew comment :
The break condition is either 1. byteIndex == 4 or 2. i toByte
intArray[wordIndex] |= ( byteInput[i] 0xFF ) ((3 -
byteIndex)3) ;
byteIndex++;
}
if ( byteIndex == 4 ) { // andrew comment: break condition 1
wordIndex++;
if ( wordIndex == 16 ) { // intArray is full,
computing hash
computeHash(intArray);
wordIndex = 0;
}
}
if ( i = toByte ) { // all input bytes
appended
// andrew comment: is it break condition 2? or it should be (i toByte) ?
p.s: all tests could pass if using i toByte.
return ;
}
Of course, I could be totally wrong. Let security guys fix the problem. I
don't want to have panda eyes too as Richard. :-)
[1]http://www.panda.org.cn/zhuye/bbe.jpg
Best regards,
Richard
On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote:
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
I was trying the latest snapshot with the JBoss installer (4.0.1) and
found a problem processing the SHA signatures int the jar manifest.
I've entered a JIRA - HARMONY-1412
I will have a look at it. ;-)
geir
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Richard Liang
China Software Development Lab, IBM
--
Richard Liang
China Development Lab, IBM
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Andrew Zhang
China Software Development Lab, IBM
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Richard Liang wrote:
After two-day struggling with JarFile, ObjectInputStream and
MessageDigest, in the end, I have identified the root cause. And now I
have two panda-eyes[1] ;-)
It seems a bug of
org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no
idea about SHA1. Could any one have a look at this problem?
The following test case passes on RI, but fails on Harmony.
public void testUpdate() throws NoSuchAlgorithmException {
byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
MessageDigest sha1 = MessageDigest.getInstance(SHA1);
byte[] digest1 = sha1.digest();
byte b = 0x04;
sha1.update(b);
for (int i = 0; i bytes.length; i++) {
sha1.update(bytes[i]);
}
byte[] digest2 = sha1.digest();
sha1.reset();
byte[] digest3 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest1, digest3));
sha1.update(b);
sha1.update(bytes, 0, bytes.length);
byte[] digest4 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest2, digest4));
}
[1]http://www.panda.org.cn/zhuye/bbe.jpg
Poor Richard! Looking for a needle in a bottle of hay, right? ;)
A closer study on SHA1Impl, I find these lines(line 194) may be wrong:
for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // *NOTE* it use
// = here
intArray[wordIndex] |=
( byteInput[i] 0xFF ) ((3 - byteIndex)3) ;
byteIndex++;
}
if ( byteIndex == 4 ) {
wordIndex++;
if ( wordIndex == 16 ) {
computeHash(intArray);
wordIndex = 0;
}
}
if ( i = toByte ) { // *NOTE* it use = here
return ;
}
Though I don't know SHA1 well, I guess it must be in the line of
second *NOTE*.
This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is,
input byte number is 4). The first circle inputs 3 bytes into array,
leaving the last byte for next step. But at that time i==toByte, so the
last byte is omitted, which is properly an mistake.
Change it to if (i toByte) will solve the problem, I've run all
tests, including Richard's test, and they all passes. It'll be better
someone knows SHA1 check it.
If no objection, we can create a patch.
Best regards,
Richard
On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote:
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
I was trying the latest snapshot with the JBoss installer (4.0.1) and
found a problem processing the SHA signatures int the jar manifest.
I've entered a JIRA - HARMONY-1412
I will have a look at it. ;-)
geir
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Richard Liang
China Software Development Lab, IBM
--
Best Regards!
Jimmy, Jing Lv
China Software Development Lab, IBM
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Richard Liang wrote:
After two-day struggling with JarFile, ObjectInputStream and
MessageDigest, in the end, I have identified the root cause. And now I
have two panda-eyes[1] ;-)
Nice work!
It seems a bug of
org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no
idea about SHA1. Could any one have a look at this problem?
The following test case passes on RI, but fails on Harmony.
public void testUpdate() throws NoSuchAlgorithmException {
byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
MessageDigest sha1 = MessageDigest.getInstance(SHA1);
byte[] digest1 = sha1.digest();
byte b = 0x04;
sha1.update(b);
for (int i = 0; i bytes.length; i++) {
sha1.update(bytes[i]);
}
byte[] digest2 = sha1.digest();
sha1.reset();
byte[] digest3 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest1, digest3));
sha1.update(b);
sha1.update(bytes, 0, bytes.length);
byte[] digest4 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest2, digest4));
}
[1]http://www.panda.org.cn/zhuye/bbe.jpg
Best regards,
Richard
On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote:
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
I was trying the latest snapshot with the JBoss installer (4.0.1) and
found a problem processing the SHA signatures int the jar manifest.
I've entered a JIRA - HARMONY-1412
I will have a look at it. ;-)
geir
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Richard Liang
China Software Development Lab, IBM
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Nice work all. You guys are amazing. Definitely create that patch and
attach to the initial JIRA.
geir
Jimmy, Jing Lv wrote:
Richard Liang wrote:
After two-day struggling with JarFile, ObjectInputStream and
MessageDigest, in the end, I have identified the root cause. And now I
have two panda-eyes[1] ;-)
It seems a bug of
org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no
idea about SHA1. Could any one have a look at this problem?
The following test case passes on RI, but fails on Harmony.
public void testUpdate() throws NoSuchAlgorithmException {
byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65};
MessageDigest sha1 = MessageDigest.getInstance(SHA1);
byte[] digest1 = sha1.digest();
byte b = 0x04;
sha1.update(b);
for (int i = 0; i bytes.length; i++) {
sha1.update(bytes[i]);
}
byte[] digest2 = sha1.digest();
sha1.reset();
byte[] digest3 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest1, digest3));
sha1.update(b);
sha1.update(bytes, 0, bytes.length);
byte[] digest4 = sha1.digest();
assertTrue(MessageDigest.isEqual(digest2, digest4));
}
[1]http://www.panda.org.cn/zhuye/bbe.jpg
Poor Richard! Looking for a needle in a bottle of hay, right? ;)
A closer study on SHA1Impl, I find these lines(line 194) may be wrong:
for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // *NOTE* it use
// = here
intArray[wordIndex] |=
( byteInput[i] 0xFF ) ((3 - byteIndex)3) ;
byteIndex++;
}
if ( byteIndex == 4 ) {
wordIndex++;
if ( wordIndex == 16 ) {
computeHash(intArray);
wordIndex = 0;
}
}
if ( i = toByte ) { // *NOTE* it use = here
return ;
}
Though I don't know SHA1 well, I guess it must be in the line of
second *NOTE*.
This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is,
input byte number is 4). The first circle inputs 3 bytes into array,
leaving the last byte for next step. But at that time i==toByte, so the
last byte is omitted, which is properly an mistake.
Change it to if (i toByte) will solve the problem, I've run all
tests, including Richard's test, and they all passes. It'll be better
someone knows SHA1 check it.
If no objection, we can create a patch.
Best regards,
Richard
On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote:
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
I was trying the latest snapshot with the JBoss installer (4.0.1) and
found a problem processing the SHA signatures int the jar manifest.
I've entered a JIRA - HARMONY-1412
I will have a look at it. ;-)
geir
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Richard Liang
China Software Development Lab, IBM
-
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[classlib][security] problem processing SHA signatures in JBoss installer manifest
I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
