Meaningless Drivel is fun!*
The moose likes Security and the fly likes MD5 Class Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "MD5 Class" Watch "MD5 Class" New topic
Author

MD5 Class

Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299
    
    6

I wrote this little MD5 utility class tonight for a project I am working on. I thought maybe some people could get use out of it here since this was the first place I looked for info on how to write one and couldn't find much.


GenRocket - Experts at Building Test Data
Pankaj Kr
Author
Ranch Hand

Joined: Sep 09, 2003
Posts: 80
Though I am afraid that there is bug in the following statement:

hexString.append(Integer.toHexString(0xFF & digest[i]));

The problem is best illustrated with the following code:

public class Test {
public static void main(String[] args){
byte b1 = (byte)0x04;
byte b2 = (byte)0xa4;
System.out.println("b1 = " + Integer.toHexString(0xFF & b1));
System.out.println("b2 = " + Integer.toHexString(0xFF & b2));
}
}

What output would you expect?
04
a4
What do you get?
4
a4
Can you see the problem?


Pankaj Kumar
Home - WebLog - J2EE Security
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299
    
    6

I see it leaves off the preceeding 0. So how do you keep that 0?
Pankaj Kr
Author
Ranch Hand

Joined: Sep 09, 2003
Posts: 80
Look at hexStringFromByte() method in this utility class.
This source file is part of the source code that come with my book J2EE Security for Servlets, EJBs and Web Services. You can get the complete sources at http://www.j2ee-security.net.
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299
    
    6

Ok, so if there is a bug in MY program, the bug is actually part of the Integer API. Am I wrong?
So why does java security API allow you to Digest a string but doesn't give you the appropriate methods to return that back to you correctly?
Pankaj Kr
Author
Ranch Hand

Joined: Sep 09, 2003
Posts: 80

Ok, so if there is a bug in MY program, the bug is actually part of the Integer API. Am I wrong?

Please take a look at the Javadoc of Integer.toHexString(int). You will find that it categorically states: "This value is converted to a string of ASCII digits in hexadecimal (base 16) with no extra leading 0s." So, the Java API sticks to its specification. I wouldn't call this behavior a bug.

So why does java security API allow you to Digest a string but doesn't give you the appropriate methods to return that back to you correctly?

Well, Java API allows Digest of byte arrays. If you want to convert a String to a byte array and then a byte array to a String, it is your problem.
BTW, I should mention that the conversion of String to byte array, and vice-versa, depends on the specific encoding used for conversion. If you do not specify the encoding then the platform-default is used. However, relying on the default encoding is dangerous. Think of this scenario: If you convert string to byte array and calculate digest on your machine in US and send the digest value to an associate in Japan, whose default encoding is different. Now, the digest veirfication will fail even if the original String has not been modified.
[ September 20, 2003: Message edited by: Pankaj Kr ]
Ab Beland
Greenhorn

Joined: Oct 09, 2003
Posts: 3
Because the process is "one-way" the behaviour (I wouldn't call it a bug) is irrelevant in this case.
With that said, THANKS, I was looking exactly for this!
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299
    
    6

Originally posted by Ab Beland:
Because the process is "one-way" the behaviour (I wouldn't call it a bug) is irrelevant in this case.
With that said, THANKS, I was looking exactly for this!

Although it is only one-way, it won't matter in most cases, however, if you ever need to have your hashed string compared to by another seperate application, it will matter because their MD5 won't produce the same as yours. I actually fixed this and when I have the time, I will post the newest version for you. I think it should be ok no matter who is MD5'ing the string.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: MD5 Class
 
Similar Threads
How to insert password in an encrypted form into a table
MD5 Digest Problem in Java
MD5 Digest Problem in Java
MD5 Hash and JCE
XOR to reduce md5 digest