I've blindly followed OWASP's recommendation on hash generation in java (see here), and I'm not sure I've done it correctly. Specifically, I'm unsure about the purpose and effect of MessageDigest.reset(), and therefore when and how to use it.
update()ing the digest several times with different values that altogether need to be signed. Should I reset() the digest beforehand? Or afterwards?reset() within the loop (see the example)?Here's my code:
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(salt);
md.update(payload1); // part 1 of payload
md.update(payload2); // part 2 of payload
md.update(serialNumber); // part 3 of payload
md.reset();
byte[] sig = md.digest();
for (int i=0; i<1000; i++) {
md.reset();
sig = md.digest(sig);
}
What I'm observing is that the signature remains the same even when serialNumber is changing. If I leave out the 'reset()' calls, the sig does change...
You only need to call reset if you have already used that instance of MessageDigest. reset is being called here to clear all previous settings.
MessageDigest.getInstance is a factory method rather than a singleton so has significant overhead attached.
From MessageDigest.getInstance:
A new MessageDigest object encapsulating the MessageDigestSpi implementation from the first Provider that supports the specified algorithm is returned.
So better to re-use and avoid the overhead of calling MessageDigest.getInstance again.