I wrote this little MD5 utility class tonight for a project I am working on. I thought maybe some people could get use out of it here since this was the first place I looked for info on how to write one and couldn't find much.
Ok, so if there is a bug in MY program, the bug is actually part of the Integer API. Am I wrong? So why does java security API allow you to Digest a string but doesn't give you the appropriate methods to return that back to you correctly?
posted 15 years ago
Ok, so if there is a bug in MY program, the bug is actually part of the Integer API. Am I wrong?
Please take a look at the Javadoc of Integer.toHexString(int). You will find that it categorically states: "This value is converted to a string of ASCII digits in hexadecimal (base 16) with no extra leading 0s." So, the Java API sticks to its specification. I wouldn't call this behavior a bug.
So why does java security API allow you to Digest a string but doesn't give you the appropriate methods to return that back to you correctly?
Well, Java API allows Digest of byte arrays. If you want to convert a String to a byte array and then a byte array to a String, it is your problem. BTW, I should mention that the conversion of String to byte array, and vice-versa, depends on the specific encoding used for conversion. If you do not specify the encoding then the platform-default is used. However, relying on the default encoding is dangerous. Think of this scenario: If you convert string to byte array and calculate digest on your machine in US and send the digest value to an associate in Japan, whose default encoding is different. Now, the digest veirfication will fail even if the original String has not been modified. [ September 20, 2003: Message edited by: Pankaj Kr ]
Originally posted by Ab Beland: Because the process is "one-way" the behaviour (I wouldn't call it a bug) is irrelevant in this case. With that said, THANKS, I was looking exactly for this!
Although it is only one-way, it won't matter in most cases, however, if you ever need to have your hashed string compared to by another seperate application, it will matter because their MD5 won't produce the same as yours. I actually fixed this and when I have the time, I will post the newest version for you. I think it should be ok no matter who is MD5'ing the string.