The scenario is the next:
I want to upload image to the server. But before uploading the file I have to send the SHA1 checksum of that file so the server could check if the file is already uploaded so I don't upload it again.
The problem is that for the same file I don't get the same SHA1 checksum in my app and on the server side.
Here is the code in my Android app:
public static String getSHA1FromFileContent(String filename)
throws NoSuchAlgorithmException, IOException {
final MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
InputStream is = new BufferedInputStream(new FileInputStream(filename));
final byte[] buffer = new byte[1024];
for (int read = 0; (read = is.read(buffer)) != -1;) {
messageDigest.update(buffer, 0, read);
}
is.close();
// Convert the byte to hex format
Formatter formatter = new Formatter();
for (final byte b : messageDigest.digest()) {
formatter.format("%02x", b);
}
String res = formatter.toString();
formatter.close();
return res;
}
And here is the code on the server side:
def hashFile(f):
sha1 = hashlib.sha1()
if hasattr(f, 'multiple_chunks') and f.multiple_chunks():
for c in f.chunks():
sha1.update(c)
else:
try:
sha1.update(f.read())
finally:
f.close()
return sha1.hexdigest()
What is the problem and why do I get different SHA1 checksums?
Turned out there was some server side image editing before generating the sha1 sum that wasn't meant to be done in this scenario. They made changes on the server side and now this is working perfectly.
Related
I have run into a problem - an existing program uses the code below to encrypt data
public static String encryptData(String data, final String key) {
try {
byte[] kb=key.getBytes("utf-8");
byte[] dig= MessageDigest.getInstance("SHA-1").digest(kb);
byte[] kdig= Arrays.copyOf(dig, 24);
final SecretKeySpec secretKeySpec = new SecretKeySpec(kdig, "DESede");
final Cipher instance = Cipher.getInstance("DESede");
instance.init(ENCRYPT_MODE, secretKeySpec);
byte[] ecb=instance.doFinal(data.getBytes("utf-8"));
byte[] enb64=Base64.encode(ecb, Base64.DEFAULT);
return new String(enb64);
} catch (Exception ex) {
ErmsLogger.e(TAG, ex.getMessage());
return null;
}
}
I need to write code on Node.Js that decrypts this encrypted data. So far - I have come up with
function decryptData(encrpted_data,fn){
var hashedKey = crypto.createHash('sha1').update(config.dataPassword).digest('hex');
if(hashedKey.length < 48){
var num=48 - hashedKey.length;
for(var i=0;i < num; i++){
hashedKey +='0';
}
}
var key=Buffer.from(hashedKey, 'hex');
var decipher = crypto.createDecipher('des-ede', key);
decoded = decipher.update(encrpted_data, 'base64', 'utf8');
decoded += decipher.final('utf8');
log.debug(JSON.stringify(decoded));
return fn(decoded);
}
I keep on running into
Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
at Decipher.final (internal/crypto/cipher.js:104:26)
whenever I try to decrypt data sent from the android app.
the working decryption code on Android (Java) is
public static String decryptData(final String data, final String password) throws Exception {
MessageDigest instance=MessageDigest.getInstance("SHA-1");
byte[] passworddigest=instance.digest(password.getBytes("utf-8"));
byte[] key=Arrays.copyOf(passworddigest, 24);
final SecretKeySpec secretKeySpec = new SecretKeySpec(key, "DESede");
final byte[] decodeddata = Base64.decode(data.getBytes("utf-8"), Base64.DEFAULT);
final Cipher ciperInstance = Cipher.getInstance("DESede");
ciperInstance.init(DECRYPT_MODE, secretKeySpec);
byte[] res= ciperInstance.doFinal(decodeddata);
return new String(res, "UTF-8");
}
Could you assist me translate this in Node?
After a bit of research and hitting my head against it - I finally came up with something that works
function decryptData(encrpted_data,fn){
var encodeKey = crypto.createHash('sha1').update(config.dataPassword).digest('hex');
var cryptkey=Buffer.alloc(24);
encodeKey.copy(cryptkey);
var decipher = crypto.createDecipheriv('des-ede3', cryptkey,'');
decipher.setAutoPadding(true);
decoded = decipher.update(encrpted_data, 'base64', 'utf8');
decoded += decipher.final('utf8');
log.debug(JSON.stringify(decoded));
return fn(decoded);
}
the explanation -
crypto.createDecipher() - internally uses the MD5 hash for the key passed to it and so it really doesn't matter what key value you send in - it will be changed. So the best option is to use createDecipheriv which accepts a raw key. This allows you to hash your key outside before passing it in. Since I was not using any IV - I passed the value of ''.
In Java (Android) DESede is really TripleDES and the equivalent on on crypto is 'des-ede3' and not 'des-ede'.
I hope this saves someone a couple of hours.
I am creating a SHA384 hash. I want to decode that hash. Is there any possible way to do this? Please help
Following is the code to get hash
public String getHash(String message) {
String algorithm = "SHA384";
String hex = "";
try {
byte[] buffer = message.getBytes();
MessageDigest md = MessageDigest.getInstance(algorithm);
md.update(buffer);
byte[] digest = md.digest();
for(int i = 0 ; i < digest.length ; i++) {
int b = digest[i] & 0xff;
if (Integer.toHexString(b).length() == 1) hex = hex + "0";
hex = hex + Integer.toHexString(b);
}
return hex;
} catch(NoSuchAlgorithmException e) {
e.printStackTrace();
return null;
}
}
A cryptographically secure hashing function is a function such that a given arbitrary length input is processed into a fixed length output in such a way that is not reversible (computationally infeasible). Such functions include MD5 and the SHA (Secure Hash Algorithm) family (1, 224, 256, 384, 512, etc).
Once you take the hash of the input there is no going back to the original input. This property can be used for verification of message integrity as hashing the identical message produces a identical hash.
The website you visited simply stores hashes and their inputs side by side and does a database lookup for your hash to attempt to find a possible input (if it was previously added to the database).
How do I check if the signature of my app matches the signature of the certificate that I used to sign it?
This is how I should be able to get the certificates fingerprint:
public String getCertificateFingerprint() throws NameNotFoundException, CertificateException, NoSuchAlgorithmException {
PackageManager pm = context.getPackageManager();
String packageName =context.getPackageName();
int flags = PackageManager.GET_SIGNATURES;
PackageInfo packageInfo = null;
packageInfo = pm.getPackageInfo(packageName, flags);
Signature[] signatures = packageInfo.signatures;
byte[] cert = signatures[0].toByteArray();
InputStream input = new ByteArrayInputStream(cert);
CertificateFactory cf = null;
cf = CertificateFactory.getInstance("X509");
X509Certificate c = null;
c = (X509Certificate) cf.generateCertificate(input);
MessageDigest md = MessageDigest.getInstance("MD5");
byte[] publicKey = md.digest(c.getPublicKey().getEncoded());
StringBuffer hexString = new StringBuffer();
for (int i = 0; i < publicKey.length; i++) {
String appendString = Integer.toHexString(0xFF & publicKey[i]);
if (appendString.length() == 1)
hexString.append("0");
hexString.append(appendString);
}
return hexString.toString();
}
This is how I should be able to get the fingerprint of my certificate:
keytool -v -list -keystore filenameandpath
My problem is, that these two give back different results.
Could someone point out what I'm screwing up?
You are computing the MD5 hash of the wrong data. The fingerprint of a certificate is a hash (MD5, SHA1, SHA256, etc.) of the raw certificate. I.e., you should be computing the hash of these bytes:
byte[] cert = signatures[0].toByteArray();
E.g., the following computes a SHA1 fingerprint, just change SHA1 to MD5 if you prefer.
public String computeFingerPrint(final byte[] certRaw) {
String strResult = "";
MessageDigest md;
try {
md = MessageDigest.getInstance("SHA1");
md.update(certRaw);
for (byte b : md.digest()) {
strAppend = Integer.toString(b & 0xff, 16);
if (strAppend.length() == 1)
strResult += "0";
strResult += strAppend;
}
strResult = strResult.toUpperCase(DATA_LOCALE);
}
catch (NoSuchAlgorithmException ex) {
ex.printStackTrace();
}
return strResult;
}
You can open the apk as a zip file and filter the ascii text from the binary content of META-INF/CERT.RSA and check there is it you who singed it.
try:
final void initVerify(Certificate certificate)
from: http://developer.android.com/reference/java/security/Signature.html
Use your code for collecting the fingerprint on the device in "test" mode -- meaning you have temporary code to emit that fingerprint to the log (or elsewhere). Be sure to test this using your production signing key, not the debug key!
Once you know from the device's perspective, you can remove the temporary code and elsewhere you can compare to what you've previously determined to be the key.
Be aware though that you're probably doing this to prevent someone from modifying your app and re-signing it with another key, but someone with the ability to do that also has the ability to modify your key checking. This is a problem that can be addressed with additional obfuscation but you'll need to come up with your own solution to minimize the chance of an attacker knowing what to look for.
the code below:
c.getPublicKey().getEncoded()
it should be like this
c.getEncoded()
i think md5 check by keytool is check the certfile,not the publickey
I'm reading a lot since some weeks to implement an encrypt/decrypt algoritm for my Android application. I'm implementing a license key that is downloaded from my website and stored in the external storage of my Android device. the application read the content of the file and decrypt it using the server public key (yes i know that i should with client private key but it's ok for my purpose). The problem is that the final string has a lot of black square with question mark inside. i've read a lot of other posts here on stackoverflow, but i think that the "only" problem is that, even if there should be 10 chars in the string, the string is long 255 bytes (with 2048 bit RSA key) and the remaining chars are filled with black "". Why the newPlainText var is not long as "Hello World!" ? Here below my code... Many thanks in advance!
public boolean licenseValid() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException{
java.io.File file = new java.io.File(Environment.getExternalStorageDirectory().toString() ,
"/folder/file.lic");
byte[] fileBArray = new byte[(int)file.length()];
FileInputStream fis = new FileInputStream(file);
// Read in the bytes
int offset = 0;
int numRead = 0;
while (offset < fileBArray.length
&& (numRead=fis.read(fileBArray, offset, fileBArray.length-offset)) >= 0) {
offset += numRead;
}
// Ensure all the bytes have been read in
if (offset < fileBArray.length) {
throw new IOException("Could not completely read file "+file.getName());
}
fis.close();
// Decrypt the ciphertext using the public key
PublicKey pubKey = readKeyFromFile();
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, pubKey);
byte[] newPlainText = cipher.doFinal(fileBArray);
// THE FOLLOWING TOAST PRINTS MANY <?> AND THAN THE DECRYPTED MESSAGE. THE TOTAL NUMBER OF CHARACTERS IS 255, EVEN IF I CHANGE ENCRYPTED TEXT!
toast(String.valueOf(cipher.doFinal(fileBArray).length));
if (new String(newPlainText, "utf-8").compareTo("Hello World!") == 0)
return true;
else
return false;
}
PublicKey readKeyFromFile() throws IOException {
Resources myResources = getResources();
//public key filename "pub.lic"
InputStream is = myResources.openRawResource(R.raw.pub);
ObjectInputStream oin =
new ObjectInputStream(new BufferedInputStream(is));
try {
BigInteger m = (BigInteger) oin.readObject();
BigInteger e = (BigInteger) oin.readObject();
RSAPublicKeySpec keySpec = new RSAPublicKeySpec(m, e);
KeyFactory fact = KeyFactory.getInstance("RSA");
PublicKey pubKey = fact.generatePublic(keySpec);
return pubKey;
} catch (Exception e) {
throw new RuntimeException("Spurious serialisation error", e);
} finally {
oin.close();
}
}
If you encrypt with RSA the input and output are always the same length as the key. In your case, that should be 256 bytes (=2048 bits), so first check your code, you are missing a byte.
When the input is shorter, you need to apply a padding, and it looks like your server and client are using a different one. Cipher.getInstance("RSA") will use the platform default, which is probably different for Android and Java SE. You need to specify the padding explicitly in both programs for this to work. Something like this:
Cipher cipher = Cipher.getInstance("RSA/None/PKCS1Padding");
BTW, you really don't want to distribute the private key with your app, so using the public key is the right thing to do. (Whether your whole encryption scheme is secure is another matter though).
I have a problem with SHA-1 performance on Android. In C# I get calculated hash in about 3s, same calculation for Android takes about 75s. I think the problem is in reading operation from file, but I'm not sure how to improve performance.
Here's my hash generation method.
private static String getSHA1FromFileContent(String filename)
{
try
{
MessageDigest digest = MessageDigest.getInstance("SHA-1");
//byte[] buffer = new byte[65536]; //created at start.
InputStream fis = new FileInputStream(filename);
int n = 0;
while (n != -1)
{
n = fis.read(buffer);
if (n > 0)
{
digest.update(buffer, 0, n);
}
}
byte[] digestResult = digest.digest();
return asHex(digestResult);
}
catch (Exception e)
{
return null;
}
}
Any ideas how can I improve performance?
I tested it on my SGS (i9000) and it took 0.806s to generate the hash for a 10.1MB file.
Only difference is that in my code i am using BufferedInputStream in addition to the FileInputStream and the hex conversion library found at:
http://apachejava.blogspot.com/2011/02/hexconversions-convert-string-byte-byte.html
Also I would suggest that you close your file input stream in a finally clause
If I were you I would use the JNI like this guy did and get the speed up that way. This is exactly what the C interface was made for.