-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
7u6
-
x86
-
os_x
FULL PRODUCT VERSION :
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
vs
java version "1.6.0_65"
Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609)
Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Mac OS X version 10.9.1
Darwin cville-macbook-pro-2011.local 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64
A DESCRIPTION OF THE PROBLEM :
Diffie-Hellman KeyAgreement.generateSecret() may produce a different result on a Java 6 client talking to a Java 7 server, or a Java 7 server talking to a Java 6 client. It seems that that Java 6 version will strip leading 0s, but the Java 7 version will not.
This makes it somewhat tricky to use for key agreement.
REGRESSION. Last worked in version 6u45
ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
vs
java version "1.6.0_65"
Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609)
Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Generate two Diffie-Hellman key pairs using the same parameters.
Use one key from each with a KeyAgreement object in the usual way.
Evaluate KeyAgreement.generateSecret().
Repeat this process many times.
(This is done by the source code below.)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I expect Java 6 and Java 7 to show the same results.
ACTUAL -
Instead, only Java 7 will show results with leading 0 bytes.
Using the source code below, with Java 7 the program will terminate, in a few seconds on my machine; with Java 6 the program apparently never terminates.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import javax.crypto.KeyAgreement;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
public class DiffieHellmanTester {
public static void main(String[] args) throws Exception {
while(true) {
KeyPairGenerator clientKeyPairGenerator = KeyPairGenerator.getInstance("DH");
clientKeyPairGenerator.initialize(1024);
KeyPair clientKeyPair = clientKeyPairGenerator.generateKeyPair();
DHParameterSpec dhSpec = ((DHPublicKey)clientKeyPair.getPublic()).getParams();
KeyPairGenerator serverKeyPairGenerator = KeyPairGenerator.getInstance("DH");
serverKeyPairGenerator.initialize(dhSpec);
KeyPair serverKeyPair = serverKeyPairGenerator.generateKeyPair();
KeyAgreement ka = KeyAgreement.getInstance("DH");
ka.init(serverKeyPair.getPrivate());
ka.doPhase(clientKeyPair.getPublic(), true);
byte secret[] = ka.generateSecret();
if(secret[0]==0) {
System.out.println("Secret has leading 0");
return;
}
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Patch servers and clients to manually strip leading 0 bytes from the results of KeyAgreement.generateSecret().
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
vs
java version "1.6.0_65"
Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609)
Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Mac OS X version 10.9.1
Darwin cville-macbook-pro-2011.local 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64
A DESCRIPTION OF THE PROBLEM :
Diffie-Hellman KeyAgreement.generateSecret() may produce a different result on a Java 6 client talking to a Java 7 server, or a Java 7 server talking to a Java 6 client. It seems that that Java 6 version will strip leading 0s, but the Java 7 version will not.
This makes it somewhat tricky to use for key agreement.
REGRESSION. Last worked in version 6u45
ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
vs
java version "1.6.0_65"
Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609)
Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Generate two Diffie-Hellman key pairs using the same parameters.
Use one key from each with a KeyAgreement object in the usual way.
Evaluate KeyAgreement.generateSecret().
Repeat this process many times.
(This is done by the source code below.)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I expect Java 6 and Java 7 to show the same results.
ACTUAL -
Instead, only Java 7 will show results with leading 0 bytes.
Using the source code below, with Java 7 the program will terminate, in a few seconds on my machine; with Java 6 the program apparently never terminates.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import javax.crypto.KeyAgreement;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
public class DiffieHellmanTester {
public static void main(String[] args) throws Exception {
while(true) {
KeyPairGenerator clientKeyPairGenerator = KeyPairGenerator.getInstance("DH");
clientKeyPairGenerator.initialize(1024);
KeyPair clientKeyPair = clientKeyPairGenerator.generateKeyPair();
DHParameterSpec dhSpec = ((DHPublicKey)clientKeyPair.getPublic()).getParams();
KeyPairGenerator serverKeyPairGenerator = KeyPairGenerator.getInstance("DH");
serverKeyPairGenerator.initialize(dhSpec);
KeyPair serverKeyPair = serverKeyPairGenerator.generateKeyPair();
KeyAgreement ka = KeyAgreement.getInstance("DH");
ka.init(serverKeyPair.getPrivate());
ka.doPhase(clientKeyPair.getPublic(), true);
byte secret[] = ka.generateSecret();
if(secret[0]==0) {
System.out.println("Secret has leading 0");
return;
}
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Patch servers and clients to manually strip leading 0 bytes from the results of KeyAgreement.generateSecret().