_posts/2017-10-04-the-case-of-the-different.html - infrastructure-blogs-archive - Git at Google

 ---
 layout: post
 status: PUBLISHED
 published: true
 title: The case of the different jsch 0.1.54 binaries
 id: 332b977b-fcfc-40a7-b7ab-ac001a8a0478
 date: '2017-10-04 13:17:07 -0400'
 categories: netbeans
 tags:
 - security
 - review
 permalink: netbeans/entry/the-case-of-the-different
 ---
 <p>
 As part of the Apache NetBeans IP clearance we are combing through all the code and dependencies.</p>
 <p>
 One interesting thing we bumped into was that the jsch 0.1.54 binary JAR we are using has a different hash (and size) than the binary JAR from Maven Central.</p>
 <p>
 The old hash is 0D7D8ABA0D11E8CD2F775F47CD3A6CFBF2837DA4, the new one is DA3584329A263616E277E15462B387ADDD1B208D.</p>
 <p>
 The binaries are 278,612 bytes vs 280,515 bytes in Maven Central.</p>
 <p>
 Our version is actually the same as the one found on <a href="http://www.jcraft.com/jsch/">http://www.jcraft.com/jsch/</a></p>
 <p>
 Also, the Maven JAR is properly signed with the author's CA7FA1F0 key.</p>
 <p>
 This is where it becomes clear that <a href="https://reproducible-builds.org/">reproducible builds</a> are important. You do not want to have to wonder why a binary differs, especially years later when you are doing a review. And this one is a library doing SSH!</p>
 <p>
 So, why the different binaries?</p>
 <p>
 It seems the original JAR was compiled on Aug 30, 2016 with Java 1.4 (major version 48) while the Maven Central JAR was compiled Sep 3, 2016 with Java 5 (major version 49).</p>
 <p>
 The original JAR also concatenates strings using <code>StringBuffer</code> while the Maven Central JAR uses the newly introduced in 1.5 <code>StringBuilder</code>. Which should also be a bit faster since it's not synchronized.</p>
 <p>
 Next, most of the cypher classes use some reflection via a <code>static java.lang.Class class$(java.lang.String)</code> method.</p>
 <p>
 What is this? It's just the way class literals worked in Java 1.4. As explained <a href="https://blogs.oracle.com/sundararajan/class-literals-in-jdk-15">here</a>, in Java 5 the <code>ldc_w</code> instruction was introduced to load a <code>Class</code> object.</p>
 <p>
 In 1.4 the class literal was helped by the compiler by actually introducing the helper <code>Class class$(java.lang.String className)</code> method and replacing the <code>Person.class</code> with a <code>class$("Person")</code> call.</p>
 <p>
 It conclusion, it seems that excluding the Java 1.4 to Java 5 compiler changes, the two JARs are identical. With the Maven Central JAR even a bit better due to <code>StringBuilder</code> being used.</p>
 <p>
 There is no check so far that the sources do produce the specific JAR. This is an exercise left for the reader.</p>
	---
	layout: post
	status: PUBLISHED
	published: true
	title: The case of the different jsch 0.1.54 binaries
	id: 332b977b-fcfc-40a7-b7ab-ac001a8a0478
	date: '2017-10-04 13:17:07 -0400'
	categories: netbeans
	tags:
	- security
	- review
	permalink: netbeans/entry/the-case-of-the-different
	---
	<p>
	As part of the Apache NetBeans IP clearance we are combing through all the code and dependencies.</p>
	<p>
	One interesting thing we bumped into was that the jsch 0.1.54 binary JAR we are using has a different hash (and size) than the binary JAR from Maven Central.</p>
	<p>
	The old hash is 0D7D8ABA0D11E8CD2F775F47CD3A6CFBF2837DA4, the new one is DA3584329A263616E277E15462B387ADDD1B208D.</p>
	<p>
	The binaries are 278,612 bytes vs 280,515 bytes in Maven Central.</p>
	<p>
	Our version is actually the same as the one found on <a href="http://www.jcraft.com/jsch/">http://www.jcraft.com/jsch/</a></p>
	<p>
	Also, the Maven JAR is properly signed with the author's CA7FA1F0 key.</p>
	<p>
	This is where it becomes clear that <a href="https://reproducible-builds.org/">reproducible builds</a> are important. You do not want to have to wonder why a binary differs, especially years later when you are doing a review. And this one is a library doing SSH!</p>
	<p>
	So, why the different binaries?</p>
	<p>
	It seems the original JAR was compiled on Aug 30, 2016 with Java 1.4 (major version 48) while the Maven Central JAR was compiled Sep 3, 2016 with Java 5 (major version 49).</p>
	<p>
	The original JAR also concatenates strings using <code>StringBuffer</code> while the Maven Central JAR uses the newly introduced in 1.5 <code>StringBuilder</code>. Which should also be a bit faster since it's not synchronized.</p>
	<p>
	Next, most of the cypher classes use some reflection via a <code>static java.lang.Class class$(java.lang.String)</code> method.</p>
	<p>
	What is this? It's just the way class literals worked in Java 1.4. As explained <a href="https://blogs.oracle.com/sundararajan/class-literals-in-jdk-15">here</a>, in Java 5 the <code>ldc_w</code> instruction was introduced to load a <code>Class</code> object.</p>
	<p>
	In 1.4 the class literal was helped by the compiler by actually introducing the helper <code>Class class$(java.lang.String className)</code> method and replacing the <code>Person.class</code> with a <code>class$("Person")</code> call.</p>
	<p>
	It conclusion, it seems that excluding the Java 1.4 to Java 5 compiler changes, the two JARs are identical. With the Maven Central JAR even a bit better due to <code>StringBuilder</code> being used.</p>
	<p>
	There is no check so far that the sources do produce the specific JAR. This is an exercise left for the reader.</p>