• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

MD5 Class

 
Gregg Bolinger
GenRocket Founder
Ranch Hand
Posts: 15302
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wrote this little MD5 utility class tonight for a project I am working on. I thought maybe some people could get use out of it here since this was the first place I looked for info on how to write one and couldn't find much.
 
Pankaj Kr
Author
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Though I am afraid that there is bug in the following statement:

hexString.append(Integer.toHexString(0xFF & digest[i]));

The problem is best illustrated with the following code:

public class Test {
public static void main(String[] args){
byte b1 = (byte)0x04;
byte b2 = (byte)0xa4;
System.out.println("b1 = " + Integer.toHexString(0xFF & b1));
System.out.println("b2 = " + Integer.toHexString(0xFF & b2));
}
}

What output would you expect?
04
a4
What do you get?
4
a4
Can you see the problem?
 
Gregg Bolinger
GenRocket Founder
Ranch Hand
Posts: 15302
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I see it leaves off the preceeding 0. So how do you keep that 0?
 
Pankaj Kr
Author
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Look at hexStringFromByte() method in this utility class.
This source file is part of the source code that come with my book J2EE Security for Servlets, EJBs and Web Services. You can get the complete sources at http://www.j2ee-security.net.
 
Gregg Bolinger
GenRocket Founder
Ranch Hand
Posts: 15302
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, so if there is a bug in MY program, the bug is actually part of the Integer API. Am I wrong?
So why does java security API allow you to Digest a string but doesn't give you the appropriate methods to return that back to you correctly?
 
Pankaj Kr
Author
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Ok, so if there is a bug in MY program, the bug is actually part of the Integer API. Am I wrong?

Please take a look at the Javadoc of Integer.toHexString(int). You will find that it categorically states: "This value is converted to a string of ASCII digits in hexadecimal (base 16) with no extra leading 0s." So, the Java API sticks to its specification. I wouldn't call this behavior a bug.

So why does java security API allow you to Digest a string but doesn't give you the appropriate methods to return that back to you correctly?

Well, Java API allows Digest of byte arrays. If you want to convert a String to a byte array and then a byte array to a String, it is your problem.
BTW, I should mention that the conversion of String to byte array, and vice-versa, depends on the specific encoding used for conversion. If you do not specify the encoding then the platform-default is used. However, relying on the default encoding is dangerous. Think of this scenario: If you convert string to byte array and calculate digest on your machine in US and send the digest value to an associate in Japan, whose default encoding is different. Now, the digest veirfication will fail even if the original String has not been modified.
[ September 20, 2003: Message edited by: Pankaj Kr ]
 
Ab Beland
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Because the process is "one-way" the behaviour (I wouldn't call it a bug) is irrelevant in this case.
With that said, THANKS, I was looking exactly for this!
 
Gregg Bolinger
GenRocket Founder
Ranch Hand
Posts: 15302
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ab Beland:
Because the process is "one-way" the behaviour (I wouldn't call it a bug) is irrelevant in this case.
With that said, THANKS, I was looking exactly for this!

Although it is only one-way, it won't matter in most cases, however, if you ever need to have your hashed string compared to by another seperate application, it will matter because their MD5 won't produce the same as yours. I actually fixed this and when I have the time, I will post the newest version for you. I think it should be ok no matter who is MD5'ing the string.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic