Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8222520

Signature.initSign(PrivateKey) should explicitly state that SecureRandom is not reset

XMLWordPrintable

      A DESCRIPTION OF THE PROBLEM :
      Calling on the same java.security.Signature instances
      initSign(PrivateKey, SecureRandom)
      and afterwards
      initSign(PrivateKey)
      does not clear the set SecureRandom from the first method call.

      Technically this is described by the documentation:
      "If this method is called again with a different argument, it negates the effect of this call."
      with emphasis on "this method" and "this call"

      However, just based on the method name you might not expect the previously set SecureRandom to remain. Therefore it would be good to explicitly describe this behavior (in case it is intended).


      Reproduction code:
      public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
          Signature signature = Signature.getInstance("SHA1withDSA");
          
          KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
          keyPairGenerator.initialize(1024);
          
          KeyPair keyPair = keyPairGenerator.genKeyPair();
          
          PrivateKey privateKey = keyPair.getPrivate();
          signature.initSign(privateKey, new ThrowingSecureRandom());
          
          // Calling initSign again, possibly expecting SecureRandom is reset as well
          // But instead previously ThrowingSecureRandom is still set
          signature.initSign(privateKey);
          
          signature.update(new byte[10]);
          signature.sign();
      }

      @SuppressWarnings("serial")
      private static class ThrowingSecureRandom extends SecureRandom {
          public ThrowingSecureRandom() {
              super(
                  new SecureRandomSpi() {
                      @Override
                      protected void engineSetSeed(byte[] seed) {
                          throw new RuntimeException("signature test");
                      }

                      @Override
                      protected void engineNextBytes(byte[] bytes) {
                          throw new RuntimeException("signature test");
                      }

                      @Override
                      protected byte[] engineGenerateSeed(int numBytes) {
                          throw new RuntimeException("signature test");
                      }
                  },
                  new SecureRandom().getProvider()
              );
          }
      }


            jnimeh Jamil Nimeh
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: