[
https://issues.apache.org/jira/browse/JCR-4115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15882713#comment-15882713
]
Thomas Mueller commented on JCR-4115:
-------------------------------------
Patch for the test case, with generator function
{noformat}
--- src/test/java/org/apache/jackrabbit/core/data/DataStoreTest.java
(revision 1784247)
+++ src/test/java/org/apache/jackrabbit/core/data/DataStoreTest.java
(working copy)
@@ -24,12 +24,19 @@
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
+import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import java.security.DigestOutputStream;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Random;
/**
@@ -103,14 +110,35 @@
}
}
+ public static void main(String... args) throws NoSuchAlgorithmException {
+ // create and print a "directory-collision", that is, two byte arrays
+ // where the hash starts with the same bytes
+ // those values can be used for testDeleteRecordWithParentCollision
+ HashMap<Long, Long> map = new HashMap<Long, Long>();
+ MessageDigest digest = MessageDigest.getInstance("SHA-256");
+ ByteBuffer input = ByteBuffer.allocate(8);
+ byte[] array = input.array();
+ for(long x = 0;; x++) {
+ input.putLong(x).flip();
+ long h = ByteBuffer.wrap(digest.digest(array)).getLong();
+ Long old = map.put(h & 0xffffffffff000000L, x);
+ if (old != null) {
+ System.out.println(Long.toHexString(old) + " " +
Long.toHexString(x));
+ break;
+ }
+ }
+ }
+
public void testDeleteRecordWithParentCollision() throws Exception {
FileDataStore fds = new FileDataStore();
fds.init(testDir + "/fileDeleteCollision");
- String c1 = "06b2f82fd81b2c20";
- String c2 = "02c60cb75083ceef";
- DataRecord d1 = fds.addRecord(IOUtils.toInputStream(c1));
- DataRecord d2 = fds.addRecord(IOUtils.toInputStream(c2));
+ ByteArrayInputStream c1 = new ByteArrayInputStream(ByteBuffer
+ .allocate(8).putLong(0x181c7).array());
+ ByteArrayInputStream c2 = new ByteArrayInputStream(ByteBuffer
+ .allocate(8).putLong(0x11fd78).array());
+ DataRecord d1 = fds.addRecord(c1);
+ DataRecord d2 = fds.addRecord(c2);
fds.deleteRecord(d1.getIdentifier());
DataRecord testRecord = fds.getRecordIfStored(d2.getIdentifier());
{noformat}
> Don't use SHA-1 for new DataStore binaries (Jackrabbit)
> -------------------------------------------------------
>
> Key: JCR-4115
> URL: https://issues.apache.org/jira/browse/JCR-4115
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Reporter: Thomas Mueller
> Labels: candidate_jcr_2_10, candidate_jcr_2_12,
> candidate_jcr_2_14, candidate_jcr_2_4, candidate_jcr_2_6, candidate_jcr_2_8
> Attachments: JCR-4115.patch
>
>
> A collision for SHA-1 has been published. We still use SHA-1 for the
> FileDataStore, and I believe the S3 DataStore right now. Given there is a
> collision, we should switch to a stronger algorithm, for example SHA-256, for
> new binaries.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
