Re: [crypto] SHA-1 not implemented?

Mon, 13 Nov 2006 03:30:29 -0800 

2006/11/13, Yuri Dolgov <[EMAIL PROTECTED]>:

Sure, see https://issues.apache.org/jira/browse/HARMONY-2163

Unit test is also welcome ;)


On 11/10/06, Tim Ellison <[EMAIL PROTECTED]> wrote:
>
> Good catch Yuri -- please log it into JIRA.
>
> Regards,
> Tim
>
> Yuri Dolgov wrote:
> > Hello,
> >
> > I've made an  investigation and found out the root of the problem.
> >
> > It seems that "eclipse" test in DaCapo benchmarks canges value of *
> > java.home* system property to ".\scratch\dummyjre". It affects
> > initialization of Security class in java.security module which loads
> > java.security file from *java.home*/lib/security directory.
> >
> > This is potential security gap since a person could change *java.home*
> > value
> > before Security class initialization and load malicious java.securityfile.
> >
> > The following test demonstrates the described behavior:
> >
> >
> > import java.security.MessageDigest;
> > public class Test {
> >    public static void main (String[] args) {
> >        try {
> >            System.setProperty("java.home", "foo/path");
> >            MessageDigest md = MessageDigest.getInstance ("SHA-1");
> >        } catch (Exception e) {
> >            e.printStackTrace();
> >        }
> >    }
> > }
> >
> > Yuri Dolgov
> >
> >
> > On 11/10/06, Tim Ellison <[EMAIL PROTECTED]> wrote:
> >>
> >> Robin Garner wrote:
> >> > Stefano Mazzocchi wrote:
> >> >> from Robin's latest runs
> >> >>
> >>
> 
http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
> >>
> >> >>
> >> >>
> >> >> there are a bunch of log messages that indicate that harmony doesn't
> >> >> implement SHA-1.
> >> >>
> >> >> Is that true?
> >> >>
> >> >
> >> > It can't be true, because _all_ the DaCapo benchmarks rely on SHA-1
> for
> >> > validation.  I raised JIRA Harmony-2135 on this issue.  Looks like
> >> after
> >> > eclipse has run, drlvm forgets how to access the SHA-1 algorithm :(
> >>
> >> Yep, the SHA-1 code is still there [1].
> >>
> >> [1]
> >>
> >>
> 
http://svn.apache.org/viewvc/incubator/harmony/enhanced/classlib/trunk/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1Impl.java?view=markup
> >>
> >>
> >> Regards,
> >> Tim
> >>
> >> --
> >>
> >> Tim Ellison ([EMAIL PROTECTED])
> >> IBM Java technology centre, UK.
> >>
> >
>
> --
>
> Tim Ellison ([EMAIL PROTECTED])
> IBM Java technology centre, UK.
>

Reply via email to