-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
11.0.1
-
x86_64
-
windows_7
ADDITIONAL SYSTEM INFORMATION :
Compiler: javac 1.8.0_191
JRE -8 : java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode)
JRE-11 : java version "11.0.1" 2018-10-16 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)
A DESCRIPTION OF THE PROBLEM :
java.security.KeyPairGenerator.initialize(int, SecureRandom) don't use the given source of randomness (SecureRandom object).
REGRESSION : Last worked in version 8u191
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
* Compile the given program Using JDK 8
* Run using JRE 8. Prints a non zero value (expected)
* Run using JRE 11. Prints zero (not expected)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
KeyPairGenerator must use the supplied source of randomness .
ACTUAL -
Under JRE 11 KeyPairGenerator does not use the given source of randomness.
Instead it uses the value supplied by sun.security.jca.JCAUtil.getSecureRandom()
When sun.security.rsa.RSAKeyPairGenerator.initialize(int , SecureRandom) is delegating to
sun.security.rsa.RSAKeyPairGenerator.initialize(AlgorithmParameterSpec params, SecureRandom random) the last parameter is explicitly passed as a null value.
From RSAKeyPairGenerator.java:
public void initialize(int keySize, SecureRandom random) {
try {
initialize(new RSAKeyGenParameterSpec(keySize,
RSAKeyGenParameterSpec.F4), null);
} catch (InvalidAlgorithmParameterException iape) {
throw new InvalidParameterException(iape.getMessage());
}
}
---------- BEGIN SOURCE ----------
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.SecureRandomSpi;
import java.util.concurrent.atomic.AtomicInteger;
@SuppressWarnings("null")
public class Test
{
public static void main(String[] args)throws Exception
{
AtomicInteger usageCount = new AtomicInteger();
SecureRandom delegate = new SecureRandom();
class TestSecureRandomSpi extends SecureRandomSpi
{
@Override
protected void engineSetSeed(byte[] seed)
{
delegate.setSeed(seed);
}
@Override
protected void engineNextBytes(byte[] bytes)
{
usageCount.incrementAndGet();
delegate.nextBytes(bytes);
}
@Override
protected byte[] engineGenerateSeed(int numBytes)
{
usageCount.incrementAndGet();
return delegate.generateSeed(numBytes);
}
}
class TestSecureRandom extends SecureRandom
{
TestSecureRandom ()
{
super(new TestSecureRandomSpi(), delegate.getProvider());
}
}
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048, new TestSecureRandom());
keyPairGenerator.generateKeyPair();
System.out.println(usageCount.get());
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
None.
FREQUENCY : always
Compiler: javac 1.8.0_191
JRE -8 : java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode)
JRE-11 : java version "11.0.1" 2018-10-16 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)
A DESCRIPTION OF THE PROBLEM :
java.security.KeyPairGenerator.initialize(int, SecureRandom) don't use the given source of randomness (SecureRandom object).
REGRESSION : Last worked in version 8u191
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
* Compile the given program Using JDK 8
* Run using JRE 8. Prints a non zero value (expected)
* Run using JRE 11. Prints zero (not expected)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
KeyPairGenerator must use the supplied source of randomness .
ACTUAL -
Under JRE 11 KeyPairGenerator does not use the given source of randomness.
Instead it uses the value supplied by sun.security.jca.JCAUtil.getSecureRandom()
When sun.security.rsa.RSAKeyPairGenerator.initialize(int , SecureRandom) is delegating to
sun.security.rsa.RSAKeyPairGenerator.initialize(AlgorithmParameterSpec params, SecureRandom random) the last parameter is explicitly passed as a null value.
From RSAKeyPairGenerator.java:
public void initialize(int keySize, SecureRandom random) {
try {
initialize(new RSAKeyGenParameterSpec(keySize,
RSAKeyGenParameterSpec.F4), null);
} catch (InvalidAlgorithmParameterException iape) {
throw new InvalidParameterException(iape.getMessage());
}
}
---------- BEGIN SOURCE ----------
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.SecureRandomSpi;
import java.util.concurrent.atomic.AtomicInteger;
@SuppressWarnings("null")
public class Test
{
public static void main(String[] args)throws Exception
{
AtomicInteger usageCount = new AtomicInteger();
SecureRandom delegate = new SecureRandom();
class TestSecureRandomSpi extends SecureRandomSpi
{
@Override
protected void engineSetSeed(byte[] seed)
{
delegate.setSeed(seed);
}
@Override
protected void engineNextBytes(byte[] bytes)
{
usageCount.incrementAndGet();
delegate.nextBytes(bytes);
}
@Override
protected byte[] engineGenerateSeed(int numBytes)
{
usageCount.incrementAndGet();
return delegate.generateSeed(numBytes);
}
}
class TestSecureRandom extends SecureRandom
{
TestSecureRandom ()
{
super(new TestSecureRandomSpi(), delegate.getProvider());
}
}
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048, new TestSecureRandom());
keyPairGenerator.generateKeyPair();
System.out.println(usageCount.get());
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
None.
FREQUENCY : always
- duplicates
-
-
- Closed
-