Danny Thuering created JAMES-3512:
-------------------------------------
Summary: DigestUtil hash bug
Key: JAMES-3512
URL: https://issues.apache.org/jira/browse/JAMES-3512
Project: James Server
Issue Type: Bug
Affects Versions: master
Reporter: Danny Thuering
I was testing how to transfer user password hashes from the Cassandra user
table to an external system but the hashes were too short when validating with
a different SHA1 digest algorithm.
I have added a sample to illustrate the issue. There are two bytes missing on
the hash compared to e.g. `com.google.common.hash.Hashing`.
The problem seems to be a missing `flush` or `close` on the `OutputStream` in
`DigestUtil.java`.
[https://github.com/apache/james-project/blob/ec7b50b82c5386aec6ee115a3b4c1b3018f7b4a8/server/data/data-library/src/main/java/org/apache/james/user/lib/util/DigestUtil.java#L146]
Here the output from my tests:
{{james base4 : n7f+Eheu1EKwTA9eQ7XVp9Mo}}
{{hcode hex : 9fb7fe1217aed442b04c0f5e43b5d5a7d3287097}}
{{james hex : 9fb7fe1217aed442b04c0f5e43b5d5a7d328}}
{{james fix base64: n7f+Eheu1EKwTA9eQ7XVp9MocJc=}}
{{james fix hash : 9fb7fe1217aed442b04c0f5e43b5d5a7d3287097}}
The sample is transforming the stored password base64 to hex encoding and you
can see the missing two bytes. The fix used `flush` on digesting a password.
[https://gist.github.com/dthuering/67e804897d10330c24e62a1767139264]
Maybe I miss something but it looks like a bug. It is not affecteing running
instances but is a problem on mobing hashes to other systems.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
