Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

getContentMd5() of blob returns encrypted MD5 value due to SERVER SIDE ENCRYPTION TRUE by default on azure storage side? #17477

Closed
harisingh-highq opened this issue Nov 11, 2020 · 9 comments
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files)

Comments

@harisingh-highq
Copy link

Hi
I found the case when we get MD5 of blob file using blobClient.getProperties().getContentMd5(), will it return encrypted MD5 of blob due to SERVER SIDE ENCRYPTION TRUE by default on azure storage side?

Below is code snippet:-
`blobClient.upload(bin, length);

BlobProperties prop = blobClient.getProperties();
java.security.MessageDigest md5 = java.security.MessageDigest.getInstance("MD5");
md5.update(prop.getContentMd5());
byte[] encrBytes = md5.digest();
StringBuilder encrHash = new StringBuilder();
for (int i = 0; i < encrBytes.length; i++) {
encrHash.append(Integer.toString((encrBytes[i] & 0xff) + 0x100, 16).substring(1));
}`

Above StringBuilder encrHash value does not match with if I download same file from azure UI and calculate MD5 of downloaded file in local system.

Is it valid behavior?

OR below logic of converting byte array of getContentMd5() to string builder is wrong from my side?

image

Can you please help me to sort out this issue?

@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 11, 2020
@harisingh-highq harisingh-highq changed the title getContentMd5() of blob returns encrypted MD5 from azure storage getContentMd5() of blob returns encrypted MD5 value due to SERVER SIDE ENCRYPTION TRUE by default on azure storage side? Nov 11, 2020
@gapra-msft
Copy link
Member

Hi @harisingh-highq

Thanks for posting this question.

I've linked a sample from our tests to clarify how to validate the contentMd5 returned from the server.
"defaultText" is just a placeholder for the data. So you will need to replace that with the actual data you are calculating the md5 for.

Hope that helps!

@gapra-msft gapra-msft added the Storage Storage Service (Queues, Blobs, Files) label Nov 12, 2020
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Nov 12, 2020
@harisingh-highq
Copy link
Author

harisingh-highq commented Nov 21, 2020

I upload same file in azure storage and cloudian S3 storage. It give me different MD5 value of same file in different storage.
Is it valid behaviour?

In azure blob storage, I'm getting MD5 value using azure-storage-blob sdk as per below code:-
java.security.MessageDigest md5 = java.security.MessageDigest.getInstance("MD5");
md5.update(prop.getContentMd5());
byte[] encrBytes = md5.digest();
StringBuilder md5Hash = new StringBuilder();
for (int i = 0; i < encrBytes.length; i++) {
md5Hash .append(Integer.toString((encrBytes[i] & 0xff) + 0x100, 16).substring(1));
}
In cloudian S3 storage, I'm getting MD5 value using aws-java-sdk-s3 sdk as per below code:-
String md5Hash = amazonS3Client.getObjectMetadata(bucketName, fileName).getETag();

Can anyone help me into this?

@harisingh-highq
Copy link
Author

harisingh-highq commented Nov 21, 2020

@gapra-msft
Thank you for sharing sample code.

My concern is Azure stored file has different MD5 checksum than local file??

If I compare Azure uploaded file contentMD5 with local same file MD5, it is not matched. Is it valid behavior?

@gapra-msft
Copy link
Member

Hi @harisingh-highq

How are you calculating the md5 of the local file?

In the code you shared above, it seems like you are calculating the md5 of the md5, rather than the data itself, which could be why you are seeing discrepancies

@harisingh-highq
Copy link
Author

harisingh-highq commented Nov 24, 2020

Hi @gapra-msft
Thank you for quick response.

FYI, I calculate local file MD5 with online utility OR using command prompt
image

I tried with below code, no one is matched with local file MD5:-

1st Try:-
java.security.MessageDigest md5 = java.security.MessageDigest.getInstance("MD5");
md5.update(blobClient.getProperties().getContentMd5());
StringBuilder uploadedFileMD5= new StringBuilder();
if (md5 != null) {
for (byte b : md5.digest()) {
uploadedFileMD5.append(String.format("%02x", b));
}
}

2nd Try:-
BlobProperties prop = blobClient.getProperties();
String uploadedFileMD5= Base64.encodeBase64String(prop.getContentMd5());

3rd Try:-
BlobProperties prop = blobClient.getProperties();
String uploadedFileMD5= Base64.encodeBase64String(MessageDigest.getInstance("MD5").digest(prop.getContentMd5()));

@gapra-msft
Copy link
Member

@harisingh-highq

Thank you for the extra information. I wrote a small sample script to verify that the service is indeed computing the md5 correctly. It looks like the cert util tool returns the md5 as a hex encoded string of the md5 bytes. The SDK simply returns the raw bytes. So to make them match, you need to convert one of them.

I've attached a sample below. Hope this helps!

    private static final String account = "XX";
    private static final String url = "http://XX.blob.core.windows.net";
    private static final String key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
    private static final String container = "XXXXXXXXXXX";
    private static final String blob = "XXXXXXXXXXXXXXXXXXXXXX";

    private static final String certUtilMD5 = "XXXXXXXXXXXXXXXXXXX"; // This is the hex representation of the md5 as a string
    private static final char[] HEX_ARRAY = "0123456789abcdef".toCharArray();

    public static void main(String[] args) throws IOException, InterruptedException {

        final StorageSharedKeyCredential credential = new StorageSharedKeyCredential(account, key);

        BlobServiceClient serviceClient = new BlobServiceClientBuilder()
                .credential(credential)
                .endpoint(url)
                .buildClient();

        BlobContainerClient containerClient = serviceClient.getBlobContainerClient(container);

        BlobClient blobClient = containerClient.getBlobClient(blob);

        byte[] contentMd5 = blobClient.getProperties().getContentMd5();

        char[] hexChars = new char[contentMd5.length * 2];
        for (int j = 0; j < contentMd5.length; j++) {
            int v = contentMd5[j] & 0xFF;
            hexChars[j * 2] = HEX_ARRAY[v >>> 4];
            hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
        }
        System.out.println(new String(hexChars));
        System.out.println(certUtilMD5);
    }

@gapra-msft
Copy link
Member

This should also resolve your other issue #17758

@harisingh-highq
Copy link
Author

Hi @gapra-msft

I would like to inform you that now local file MD5 and azure store file MD is getting matched with above solution.

Thank you so much for detailed solution. Really your help is appreciable.

@gapra-msft
Copy link
Member

@harisingh-highq Great to hear! Since your issue seems to have been resolved, I will go ahead and close this issue.

openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-java that referenced this issue Feb 7, 2022
Dev sentinel 2021 10 01 preview (Azure#17494)

* Adds base for updating Microsoft.SecurityInsights from version preview/2021-09-01-preview to version 2021-10-01-preview

* Updates readme

* Updates API version in new specs and examples

* Add IoT data connector (Azure#17086)

* add Iot data connector

* fix kind in getIotById

* add deleted files

* add missing newlines

* fix newlines

* Revert "Add IoT data connector (Azure#17086)" (Azure#17170)

This reverts commit a11dd79ea1fb12c9b9d673fed2de91cc0098adbf.

* Adding providerIncidentUrl & techniques to IncidentAdditionalData (Azure#17173)

* Adding providerIncidentUrl to Incident

* Adding techniques to incident

* Dev sentinel 2021 10 01 preview (Azure#17314)

* Bookmarks 2021-10-01-preview

* prettier

* definitions

* rename

Co-authored-by: Igal Shapira <igshapir@microsoft.com>

* Data connectors 2021 10 01 preview office connectors added (Azure#17193)

* Project and PowerBI specs added.

* Space removed

* File with a wrong name removed

* More changer added

* Example files with inconsistent naming removed

* dataConnectors json updated

* Ref fixed

* Prettier applied

Co-authored-by: Ido Klotz <idoklotz@microsoft.com>

* AutomationRules preview 2021_10_01 (Azure#17325)

* h

* first

* examples

* prettier

* path

* fixes

* prettier

* examples

* Z

* Z

* responses

* fix

* fixes

* fix

* prettier

* PR Fixes

* PR Fixes

* PR Fixes

* fix

* fix

* fix

* fix

* Last

* PR Fixes

* Last

* tryFix

* tryFix

* incidentTypes

* fix

Co-authored-by: Roy Reinhorn <roreinho@microsoft.com>

* Add MITRE support to alert rules models (Azure#17198)

* Update alert rules models with tactics and techniques

* Add attack tactics new enum values

* Update alert rules models examples

* Fix techniques type

* Update files with prettier

* Insert validations fixes

* Fix validations

* Fixes in alert rules models

* Fix alert rules models and examples

* adding changes to alert rules json

* Revert "adding changes to alert rules json"

This reverts commit 603490e300c76dee48550a11d0dee8fe5c824a2e.

* Adding fusion v2 ui api documentation

* some fixes

* adding prettier fixes

* removing unwanted property

* updating the readonly properties

Co-authored-by: Lilyan Cohen <licohen@microsoft.com>
Co-authored-by: Vishal Kumar <viskumar@microsoft.com>

* ErrorResponse changed to CloudError (Azure#17477)

Co-authored-by: Ido Klotz <idoklotz@microsoft.com>

* Done (Azure#17488)

Co-authored-by: Roy Reinhorn <roreinho@microsoft.com>

* Adding tenantId (Azure#17533)

Co-authored-by: Ido Klotz <idoklotz@microsoft.com>

* Done (Azure#17556)

Co-authored-by: Roy Reinhorn <roreinho@microsoft.com>

* Fix LindDiff and SemanticValidation (Azure#17584)

Co-authored-by: ShaniFelig <74960756+ShaniFelig@users.noreply.github.com>
Co-authored-by: roherzbe <52486962+roherzbe@users.noreply.github.com>
Co-authored-by: Igal <igal.shapira@gmail.com>
Co-authored-by: Igal Shapira <igshapir@microsoft.com>
Co-authored-by: Ido Klotz <idoklotz@gmail.com>
Co-authored-by: Ido Klotz <idoklotz@microsoft.com>
Co-authored-by: royrein <37300636+royrein@users.noreply.github.com>
Co-authored-by: Roy Reinhorn <roreinho@microsoft.com>
Co-authored-by: lilyanc02 <46589651+lilyanc02@users.noreply.github.com>
Co-authored-by: Lilyan Cohen <licohen@microsoft.com>
Co-authored-by: Vishal Kumar <viskumar@microsoft.com>
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Development

No branches or pull requests

2 participants