-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
8, 11, 12, 13
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
Calling on the same java.security.Signature instances
initSign(PrivateKey, SecureRandom)
and afterwards
initSign(PrivateKey)
does not clear the set SecureRandom from the first method call.
Technically this is described by the documentation:
"If this method is called again with a different argument, it negates the effect of this call."
with emphasis on "this method" and "this call"
However, just based on the method name you might not expect the previously set SecureRandom to remain. Therefore it would be good to explicitly describe this behavior (in case it is intended).
Reproduction code:
public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
Signature signature = Signature.getInstance("SHA1withDSA");
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
keyPairGenerator.initialize(1024);
KeyPair keyPair = keyPairGenerator.genKeyPair();
PrivateKey privateKey = keyPair.getPrivate();
signature.initSign(privateKey, new ThrowingSecureRandom());
// Calling initSign again, possibly expecting SecureRandom is reset as well
// But instead previously ThrowingSecureRandom is still set
signature.initSign(privateKey);
signature.update(new byte[10]);
signature.sign();
}
@SuppressWarnings("serial")
private static class ThrowingSecureRandom extends SecureRandom {
public ThrowingSecureRandom() {
super(
new SecureRandomSpi() {
@Override
protected void engineSetSeed(byte[] seed) {
throw new RuntimeException("signature test");
}
@Override
protected void engineNextBytes(byte[] bytes) {
throw new RuntimeException("signature test");
}
@Override
protected byte[] engineGenerateSeed(int numBytes) {
throw new RuntimeException("signature test");
}
},
new SecureRandom().getProvider()
);
}
}
Calling on the same java.security.Signature instances
initSign(PrivateKey, SecureRandom)
and afterwards
initSign(PrivateKey)
does not clear the set SecureRandom from the first method call.
Technically this is described by the documentation:
"If this method is called again with a different argument, it negates the effect of this call."
with emphasis on "this method" and "this call"
However, just based on the method name you might not expect the previously set SecureRandom to remain. Therefore it would be good to explicitly describe this behavior (in case it is intended).
Reproduction code:
public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
Signature signature = Signature.getInstance("SHA1withDSA");
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
keyPairGenerator.initialize(1024);
KeyPair keyPair = keyPairGenerator.genKeyPair();
PrivateKey privateKey = keyPair.getPrivate();
signature.initSign(privateKey, new ThrowingSecureRandom());
// Calling initSign again, possibly expecting SecureRandom is reset as well
// But instead previously ThrowingSecureRandom is still set
signature.initSign(privateKey);
signature.update(new byte[10]);
signature.sign();
}
@SuppressWarnings("serial")
private static class ThrowingSecureRandom extends SecureRandom {
public ThrowingSecureRandom() {
super(
new SecureRandomSpi() {
@Override
protected void engineSetSeed(byte[] seed) {
throw new RuntimeException("signature test");
}
@Override
protected void engineNextBytes(byte[] bytes) {
throw new RuntimeException("signature test");
}
@Override
protected byte[] engineGenerateSeed(int numBytes) {
throw new RuntimeException("signature test");
}
},
new SecureRandom().getProvider()
);
}
}
- relates to
-
JDK-8215899 Document the Signature configuration order restriction
-
- Open
-
-
JDK-8352535 SecureRandom Not Used After Signature.initSign() Reinitialization
-
- Open
-