The question is simple: when should I call the reset () function in the java MessageDigest class?
The question mostly comes from the OWASP link , where in the sample code they do:
MessageDigest digest = MessageDigest.getInstance("SHA-1");
digest.reset();
digest.update(salt);
byte[] input = digest.digest(password.getBytes("UTF-8"));
then in a loop they do:
for (int i = 0; i < iterationNb; i++) {
digest.reset();
input = digest.digest(input);
}
Now it seems to me that reset is required only after the digest instance has already been "polluted" by the calls to update. Therefore, the first sample is not necessary. If necessary, is this a sign that the instance returned by MessageDigest.getInstance is not thread safe?