Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Geir Magnusson Jr. wrote: Nice work all. You guys are amazing. Definitely create that patch and attach to the initial JIRA. yep -- cool to see that get worked on by a number of people in the community. A tricky bug too, so good teamwork! Regards, Tim Jimmy, Jing Lv wrote: Richard Liang wrote: After two-day struggling with JarFile, ObjectInputStream and MessageDigest, in the end, I have identified the root cause. And now I have two panda-eyes[1] ;-) It seems a bug of org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no idea about SHA1. Could any one have a look at this problem? The following test case passes on RI, but fails on Harmony. public void testUpdate() throws NoSuchAlgorithmException { byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65}; MessageDigest sha1 = MessageDigest.getInstance(SHA1); byte[] digest1 = sha1.digest(); byte b = 0x04; sha1.update(b); for (int i = 0; i bytes.length; i++) { sha1.update(bytes[i]); } byte[] digest2 = sha1.digest(); sha1.reset(); byte[] digest3 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest1, digest3)); sha1.update(b); sha1.update(bytes, 0, bytes.length); byte[] digest4 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest2, digest4)); } [1]http://www.panda.org.cn/zhuye/bbe.jpg Poor Richard! Looking for a needle in a bottle of hay, right? ;) A closer study on SHA1Impl, I find these lines(line 194) may be wrong: for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // *NOTE* it use // = here intArray[wordIndex] |= ( byteInput[i] 0xFF ) ((3 - byteIndex)3) ; byteIndex++; } if ( byteIndex == 4 ) { wordIndex++; if ( wordIndex == 16 ) { computeHash(intArray); wordIndex = 0; } } if ( i = toByte ) { // *NOTE* it use = here return ; } Though I don't know SHA1 well, I guess it must be in the line of second *NOTE*. This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is, input byte number is 4). The first circle inputs 3 bytes into array, leaving the last byte for next step. But at that time i==toByte, so the last byte is omitted, which is properly an mistake. Change it to if (i toByte) will solve the problem, I've run all tests, including Richard's test, and they all passes. It'll be better someone knows SHA1 check it. If no objection, we can create a patch. Best regards, Richard On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote: On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Tim Ellison ([EMAIL PROTECTED]) IBM Java technology centre, UK. - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Collegues, thanks a lot for identifying the bug !!! The fix you propose is correct. Thanks, Yuri Nice work all. You guys are amazing. Definitely create that patch and attach to the initial JIRA. geir Jimmy, Jing Lv wrote: Richard Liang wrote: After two-day struggling with JarFile, ObjectInputStream and MessageDigest, in the end, I have identified the root cause. And now I have two panda-eyes[1] ;-) It seems a bug of org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no idea about SHA1. Could any one have a look at this problem? The following test case passes on RI, but fails on Harmony. public void testUpdate() throws NoSuchAlgorithmException { byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65}; MessageDigest sha1 = MessageDigest.getInstance(SHA1); byte[] digest1 = sha1.digest(); byte b = 0x04; sha1.update(b); for (int i = 0; i bytes.length; i++) { sha1.update(bytes[i]); } byte[] digest2 = sha1.digest(); sha1.reset(); byte[] digest3 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest1, digest3)); sha1.update(b); sha1.update(bytes, 0, bytes.length); byte[] digest4 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest2, digest4)); } [1]http://www.panda.org.cn/zhuye/bbe.jpg Poor Richard! Looking for a needle in a bottle of hay, right? ;) A closer study on SHA1Impl, I find these lines(line 194) may be wrong: for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // *NOTE* it use // = here intArray[wordIndex] |= ( byteInput[i] 0xFF ) ((3 - byteIndex)3) ; byteIndex++; } if ( byteIndex == 4 ) { wordIndex++; if ( wordIndex == 16 ) { computeHash(intArray); wordIndex = 0; } } if ( i = toByte ) { // *NOTE* it use = here return ; } Though I don't know SHA1 well, I guess it must be in the line of second *NOTE*. This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is, input byte number is 4). The first circle inputs 3 bytes into array, leaving the last byte for next step. But at that time i==toByte, so the last byte is omitted, which is properly an mistake. Change it to if (i toByte) will solve the problem, I've run all tests, including Richard's test, and they all passes. It'll be better someone knows SHA1 check it. If no objection, we can create a patch. Best regards, Richard On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote: On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : *http://incubator.apache.org/harmony/mailing.html*http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM - Terms of use : *http://incubator.apache.org/harmony/mailing.html*http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
After two-day struggling with JarFile, ObjectInputStream and MessageDigest, in the end, I have identified the root cause. And now I have two panda-eyes[1] ;-) It seems a bug of org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no idea about SHA1. Could any one have a look at this problem? The following test case passes on RI, but fails on Harmony. public void testUpdate() throws NoSuchAlgorithmException { byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65}; MessageDigest sha1 = MessageDigest.getInstance(SHA1); byte[] digest1 = sha1.digest(); byte b = 0x04; sha1.update(b); for (int i = 0; i bytes.length; i++) { sha1.update(bytes[i]); } byte[] digest2 = sha1.digest(); sha1.reset(); byte[] digest3 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest1, digest3)); sha1.update(b); sha1.update(bytes, 0, bytes.length); byte[] digest4 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest2, digest4)); } [1]http://www.panda.org.cn/zhuye/bbe.jpg Best regards, Richard On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote: On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM -- Richard Liang China Development Lab, IBM - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
On 9/13/06, Richard Liang [EMAIL PROTECTED] wrote: After two-day struggling with JarFile, ObjectInputStream and MessageDigest, in the end, I have identified the root cause. And now I have two panda-eyes[1] ;-) Interesting! It seems a bug of org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no idea about SHA1. Could any one have a look at this problem? The following test case passes on RI, but fails on Harmony. public void testUpdate() throws NoSuchAlgorithmException { byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65}; MessageDigest sha1 = MessageDigest.getInstance(SHA1); byte[] digest1 = sha1.digest(); byte b = 0x04; sha1.update(b); for (int i = 0; i bytes.length; i++) { sha1.update(bytes[i]); } byte[] digest2 = sha1.digest(); sha1.reset(); byte[] digest3 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest1, digest3)); sha1.update(b); sha1.update(bytes, 0, bytes.length); byte[] digest4 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest2, digest4)); } Interesting bug too! I'm not clear about sha1 alogrithm, but guess whether following code causes the bug: for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // andrew comment : The break condition is either 1. byteIndex == 4 or 2. i toByte intArray[wordIndex] |= ( byteInput[i] 0xFF ) ((3 - byteIndex)3) ; byteIndex++; } if ( byteIndex == 4 ) { // andrew comment: break condition 1 wordIndex++; if ( wordIndex == 16 ) { // intArray is full, computing hash computeHash(intArray); wordIndex = 0; } } if ( i = toByte ) { // all input bytes appended // andrew comment: is it break condition 2? or it should be (i toByte) ? p.s: all tests could pass if using i toByte. return ; } Of course, I could be totally wrong. Let security guys fix the problem. I don't want to have panda eyes too as Richard. :-) [1]http://www.panda.org.cn/zhuye/bbe.jpg Best regards, Richard On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote: On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM -- Richard Liang China Development Lab, IBM - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Andrew Zhang China Software Development Lab, IBM
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Richard Liang wrote: After two-day struggling with JarFile, ObjectInputStream and MessageDigest, in the end, I have identified the root cause. And now I have two panda-eyes[1] ;-) It seems a bug of org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no idea about SHA1. Could any one have a look at this problem? The following test case passes on RI, but fails on Harmony. public void testUpdate() throws NoSuchAlgorithmException { byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65}; MessageDigest sha1 = MessageDigest.getInstance(SHA1); byte[] digest1 = sha1.digest(); byte b = 0x04; sha1.update(b); for (int i = 0; i bytes.length; i++) { sha1.update(bytes[i]); } byte[] digest2 = sha1.digest(); sha1.reset(); byte[] digest3 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest1, digest3)); sha1.update(b); sha1.update(bytes, 0, bytes.length); byte[] digest4 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest2, digest4)); } [1]http://www.panda.org.cn/zhuye/bbe.jpg Poor Richard! Looking for a needle in a bottle of hay, right? ;) A closer study on SHA1Impl, I find these lines(line 194) may be wrong: for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // *NOTE* it use // = here intArray[wordIndex] |= ( byteInput[i] 0xFF ) ((3 - byteIndex)3) ; byteIndex++; } if ( byteIndex == 4 ) { wordIndex++; if ( wordIndex == 16 ) { computeHash(intArray); wordIndex = 0; } } if ( i = toByte ) { // *NOTE* it use = here return ; } Though I don't know SHA1 well, I guess it must be in the line of second *NOTE*. This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is, input byte number is 4). The first circle inputs 3 bytes into array, leaving the last byte for next step. But at that time i==toByte, so the last byte is omitted, which is properly an mistake. Change it to if (i toByte) will solve the problem, I've run all tests, including Richard's test, and they all passes. It'll be better someone knows SHA1 check it. If no objection, we can create a patch. Best regards, Richard On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote: On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM -- Best Regards! Jimmy, Jing Lv China Software Development Lab, IBM - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Richard Liang wrote: After two-day struggling with JarFile, ObjectInputStream and MessageDigest, in the end, I have identified the root cause. And now I have two panda-eyes[1] ;-) Nice work! It seems a bug of org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no idea about SHA1. Could any one have a look at this problem? The following test case passes on RI, but fails on Harmony. public void testUpdate() throws NoSuchAlgorithmException { byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65}; MessageDigest sha1 = MessageDigest.getInstance(SHA1); byte[] digest1 = sha1.digest(); byte b = 0x04; sha1.update(b); for (int i = 0; i bytes.length; i++) { sha1.update(bytes[i]); } byte[] digest2 = sha1.digest(); sha1.reset(); byte[] digest3 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest1, digest3)); sha1.update(b); sha1.update(bytes, 0, bytes.length); byte[] digest4 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest2, digest4)); } [1]http://www.panda.org.cn/zhuye/bbe.jpg Best regards, Richard On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote: On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
Nice work all. You guys are amazing. Definitely create that patch and attach to the initial JIRA. geir Jimmy, Jing Lv wrote: Richard Liang wrote: After two-day struggling with JarFile, ObjectInputStream and MessageDigest, in the end, I have identified the root cause. And now I have two panda-eyes[1] ;-) It seems a bug of org.apache.harmony.security.provider.crypto.SHA1Impl. As I have no idea about SHA1. Could any one have a look at this problem? The following test case passes on RI, but fails on Harmony. public void testUpdate() throws NoSuchAlgorithmException { byte[] bytes = { 0x6e, 0x61, 0x6d, 0x65}; MessageDigest sha1 = MessageDigest.getInstance(SHA1); byte[] digest1 = sha1.digest(); byte b = 0x04; sha1.update(b); for (int i = 0; i bytes.length; i++) { sha1.update(bytes[i]); } byte[] digest2 = sha1.digest(); sha1.reset(); byte[] digest3 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest1, digest3)); sha1.update(b); sha1.update(bytes, 0, bytes.length); byte[] digest4 = sha1.digest(); assertTrue(MessageDigest.isEqual(digest2, digest4)); } [1]http://www.panda.org.cn/zhuye/bbe.jpg Poor Richard! Looking for a needle in a bottle of hay, right? ;) A closer study on SHA1Impl, I find these lines(line 194) may be wrong: for ( ; ( i = toByte ) ( byteIndex 4 ) ; i++ ) { // *NOTE* it use // = here intArray[wordIndex] |= ( byteInput[i] 0xFF ) ((3 - byteIndex)3) ; byteIndex++; } if ( byteIndex == 4 ) { wordIndex++; if ( wordIndex == 16 ) { computeHash(intArray); wordIndex = 0; } } if ( i = toByte ) { // *NOTE* it use = here return ; } Though I don't know SHA1 well, I guess it must be in the line of second *NOTE*. This bug happens when byteIndex==1, and fromByte==0, toByte==3(that is, input byte number is 4). The first circle inputs 3 bytes into array, leaving the last byte for next step. But at that time i==toByte, so the last byte is omitted, which is properly an mistake. Change it to if (i toByte) will solve the problem, I've run all tests, including Richard's test, and they all passes. It'll be better someone knows SHA1 check it. If no objection, we can create a patch. Best regards, Richard On 9/11/06, Richard Liang [EMAIL PROTECTED] wrote: On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [classlib][security] problem processing SHA signatures in JBoss installer manifest
On 9/9/06, Geir Magnusson Jr. [EMAIL PROTECTED] wrote: I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 I will have a look at it. ;-) geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Richard Liang China Software Development Lab, IBM - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[classlib][security] problem processing SHA signatures in JBoss installer manifest
I was trying the latest snapshot with the JBoss installer (4.0.1) and found a problem processing the SHA signatures int the jar manifest. I've entered a JIRA - HARMONY-1412 geir - Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]