Search code examples
javamd5java-securityfips

MD5 algorithm working in java even after disabling it in $JAVA_HOME/lib/security/java.security

I have disabled the MD5 algorithm use adding the following in $JAVA_HOME/lib/security/java.security file. But I still I am able to run the code that use MD5 algorithms.

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024

But I am still able run the following code that use MD5

import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class MD5 {
    public static String getMd5(String input)
    {
        try {

            // Static getInstance method is called with hashing MD5
            MessageDigest md = MessageDigest.getInstance("MD5");

            // digest() method is called to calculate message digest
            // of an input digest() return array of byte
            byte[] messageDigest = md.digest(input.getBytes());

            // Convert byte array into signum representation
            BigInteger no = new BigInteger(1, messageDigest);

            // Convert message digest into hex value
            String hashtext = no.toString(16);
            while (hashtext.length() < 32) {
                hashtext = "0" + hashtext;
            }
            return hashtext;
        }

        // For specifying wrong message digest algorithms
        catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    // Driver code
    public static void main(String args[]) throws NoSuchAlgorithmException
    {
        String s = "TESTFORMD%";
        System.out.println("Your HashCode Generated by MD5 is: " + getMd5(s));
    }
}
Solution

  • Security policy configured in $JAVA_HOME/lib/security/java.security affects how JVM will handle security related functions; it has nothing to do with what algorithms you explicitly (try to) use in your code.

    For example:

    • jdk.jar.disabledAlgorithms disables algorithms used to verify signed jar files
    • jdk.certpath.disabledAlgorithms disables algorithms used for certificates (also affects key lengths)
    • jdk.tls.disabledAlgorithms disables algorithms used for TLS cipher negotiation

    So when you disable MD5 in security configuration, you are actually telling JVM not to use/trust MD5 for jar signing, certificates and TLS negotiation. The actual MD5 implementation is still there for you to use in MessageDigest.getInstance("MD5").