Online-mode minecraft servers in 1.7.2 authenticate to the session servers provided by Mojang. The client is expected to post that he is joining the server, while the server checks if the client has joined.

The serverId given in the get parameters for this request is expected to be a SHA-1 hash of the provided server key, shared secret, and X509 encoded public key. The only issue with this is that the SHA-1 hash's bytes is not encoded properly to hexadecimal (or Base 16), and is rather a completely incorrectly formatted 40 character hexadecimal string that has the possibility of even starting with a negative and becoming 41 characters.

The reason this bug occurs is Mojang's use of BigInteger as a form of encoding the SHA-1 byte array to hexadecimal. BigInteger must be initialized with the following constructor and signum as 1 to perform a correct hexadecimal string.

public BigInteger(int signum, byte[] magnitude);

Surely this was an oversight as this code was created a very long time ago, and I'd like to see it fixed.

Thanks.

EDIT: Also be sure to add padding at the beginning of the SHA-1 string as BigInteger can return a string length of 39.