I have found the following example code (somewhere on the web, can't remember where):
public static byte[] produce(final byte[] data)
throws NoSuchAlgorithmException{
MessageDigest digest = MessageDigest.getInstance(ALGORITHM);
digest.reset();
digest.update(data);
byte[] ret = digest.digest(data);
for (int i = 0; i < HASH_ITERATIONS; i++) {
digest.reset();
ret = digest.digest(ret);
}
return ret;
}
What bothers me is that the docs says that digest() already calls update() on its own with the passed input:
Performs a final update on the digest using the specified array of
bytes, then completes the digest computation. That is, this method
first calls update(input), passing the input array to the update
method, then calls digest().
Additionally, after the call to update(), the MessageDigest object's state
becomes 1
.
After a call to digest() (next in the code) it returns to be simply 0
.
Finally, when stepping through while debugging, I can clearly see that the data is being manipulated.
So, is it safe to remove the call to update()?
Note that I wouldn't bother anyone with that question if it weren't a big security issue.
Best Answer
You are right, it is safe to remove
update
in your code. And more, by callingupdate(data)
and then callingdigest(data)
you actually calculating digest of different message that containsdata
twice. I think is not what you need.The common use case of
digest(byte[])
is calculation of digest of complete data block (i.e. password). Theupdate(byte[])
in pair withdigest()
used when you need to calculate digest of data coming by parts: