Sun, 7 Nov 2010 13:27:08 +0000 (UTC), /Steve Crook/:
private static String sha256(byte[] password, byte[] iv) {
try {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(iv);
byte[] hash = md.digest(password);
return byteArrayToHexString(hash);
} catch (NoSuchAlgorithmException nsae) {
}
return "foobar";
}
This seems downright ugly though and is probably also evil. As the
exception never happens though, because there is such an algorithm as
"SHA-256", perhaps it is correct. Argh, brain ache! :)
I think the documentation of MessageDigest.getInstance(String) is clear
enough
<http://download.oracle.com/javase/6/docs/api/java/security/MessageDigest.html#getInstance%28java.lang.String%29>:
Throws:
NoSuchAlgorithmException - if no Provider supports a
MessageDigestSpi implementation for the specified algorithm.
So in theory the code could run in an environment where no "SHA-256"
provider is supplied. If your application accepts this for granted, and
the lack of "SHA-256" provider should be considered a serious
configuration omission, you could at least throw an AssertionError you
don't need to explicitly handle in intermediate calls (but may be at
some top-level, or just leave the JVM/current thread terminate):
private static String sha256(byte[] password, byte[] iv) {
try {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(iv);
byte[] hash = md.digest(password);
return byteArrayToHexString(hash);
} catch (NoSuchAlgorithmException nsae) {
throw new AssertionError(nsae);
}
}
You should not "swallow" the original exception as causing the program
to continue as if there was no error and returning a bogus result would
cause more severe errors for your application.
RuntimeException to AssertionError. Shouldn't AssertionError mean that
surprised to see it in a run with assertion checking disabled. An Error,