-
Bug
-
Resolution: Fixed
-
P2
-
8u261, 11.0.8-oracle, 14.0.2, 15, 16
-
b31
-
generic
-
generic
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8248993 | 16 | Valerie Peng | P2 | Resolved | Fixed | b05 |
JDK-8250149 | 15.0.2 | Valerie Peng | P2 | Resolved | Fixed | b01 |
JDK-8250448 | 15.0.1 | Valerie Peng | P2 | Resolved | Fixed | b03 |
JDK-8249112 | 14u-cpu | Valerie Peng | P2 | Resolved | Fixed | master |
JDK-8248920 | 14.0.2 | Valerie Peng | P2 | Closed | Fixed | b12 |
JDK-8249525 | 13.0.5 | Valerie Peng | P2 | Resolved | Fixed | b01 |
JDK-8249353 | 13.0.4 | Valerie Peng | P2 | Resolved | Fixed | b08 |
JDK-8254136 | 11.0.10-oracle | Valerie Peng | P2 | Resolved | Fixed | b01 |
JDK-8254119 | 11.0.9.0.1-oracle | Valerie Peng | P2 | Resolved | Fixed | b01 |
JDK-8249050 | 11.0.9-oracle | Valerie Peng | P2 | Closed | Fixed | b01 |
JDK-8249393 | 11.0.9 | Valerie Peng | P2 | Resolved | Fixed | b01 |
JDK-8249085 | 11.0.8.0.2-oracle | Valerie Peng | P2 | Closed | Fixed | b01 |
JDK-8249327 | 11.0.8 | Valerie Peng | P2 | Resolved | Fixed | b10 |
JDK-8254204 | 8u281 | Prasadarao Koppula | P2 | Resolved | Fixed | b02 |
JDK-8249066 | 8u271 | Prasadarao Koppula | P2 | Closed | Fixed | b01 |
JDK-8249113 | 8u261 | Prasadarao Koppula | P2 | Closed | Fixed | b33 |
JDK-8257340 | emb-8u281 | Prasadarao Koppula | P2 | Resolved | Fixed | team |
JDK-8251742 | emb-8u271 | Prasadarao Koppula | P2 | Resolved | Fixed | team |
Since the latest changes to SecureRandom[0], using certain ( I can reproduce with one but others might have the same issue, see below ) security providers, it is impossible to get an instance of SecurityRandom. The following is reproducible with the BouncyCastle FIPS 140-2 provider [1]:
public class TestSecureRandom {
public static void main(String[] args){
assert Security.getProviders()[0].getName().equals("BCFIPS");
SecureRandom random = new SecureRandom();
}
}
will fail with
Exception in thread "main" java.lang.RuntimeException: java.security.NoSuchAlgorithmException: Service not registered with Provider BCFIPS: BCFIPS: SecureRandom.DEFAULT -> org.bouncycastle.jcajce.provider.random.DefSecureRandom
attributes: {ImplementedIn=Software}
at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:294)
at java.base/java.security.SecureRandom.<init>(SecureRandom.java:219)
at TestSecureRandomBug.main(TestSecureRandomBug.java:8)
Caused by: java.security.NoSuchAlgorithmException: Service not registered with Provider BCFIPS: BCFIPS: SecureRandom.DEFAULT -> org.bouncycastle.jcajce.provider.random.DefSecureRandom
attributes: {ImplementedIn=Software}
at java.base/java.security.Provider$Service.newInstance(Provider.java:1857)
at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:290)
... 2 more
I reported this to the authors of the security provider [2] and I will share part of the analysis on why this fails here for the sake of completeness of the report.
The BCFIPS security provider overrides getService() and getServices() of Provider and it has its own extension of the Provider.Service which getService() returns.
However, getDefaultSecureRandomService() will always return a java.security.Provider.Service and since we are calling newInstance [3] on it, this fails as the
if (provider.getService(type, algorithm) != this) {
throw new NoSuchAlgorithmException("Service not registered with Provider " + provider.getName() + ": " + this);
}
can not be true. getService will return a org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.BcService and `this` is a java.security.Provider.Service.
I am not aware of other providers being affected by this ( the non FIPS BouncyCastle Provider is not, since it's a legacy style security provider ) but given the reason for the issue, I think there might be others affected. With [0] being backported to all supported versions and BCFIPS being one of the few available security providers that is FIPS 140-2 approved, this introduces a significant issue for folks with fips compliance requirements.
One potential fix that was proposed in [2] was to replace
if (prngServices != null && !prngServices.isEmpty()) {
return prngServices.iterator().next();
}
with:
if (prngServices != null && !prngServices.isEmpty()) {
Service rng = prngServices.iterator().next();
return getService(rng.getType(), rng.getAlgorithm());
}
so that any provider extending Service, could work fine.
Best Regards
Ioannis
[0] https://hg.openjdk.java.net/jdk/jdk15/rev/6eeaa40131ff
[1] https://www.bouncycastle.org/fips-java/
[2] http://bouncy-castle.1462172.n4.nabble.com/Default-SecureRandom-issue-in-BCFIPS-and-latest-JDK15-td4659964.html
[3] https://hg.openjdk.java.net/jdk/jdk15/rev/6eeaa40131ff#l2.55
- backported by
-
JDK-8248993 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8249112 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8249327 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8249353 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8249393 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8249525 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8250149 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8250448 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8251742 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8254119 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8254136 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8254204 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8257340 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Resolved
-
JDK-8248920 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Closed
-
JDK-8249050 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Closed
-
JDK-8249066 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Closed
-
JDK-8249085 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Closed
-
JDK-8249113 Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
- Closed
- duplicates
-
JDK-8250661 Java 11.0.8 breaks USAF EW-Unified-3.5.7-FIPS.jar
- Closed
-
JDK-8248885 Unexpected NoSuchAlgorithmException when using secure random impl from Entrust provider
- Closed
-
JDK-8250661 Java 11.0.8 breaks USAF EW-Unified-3.5.7-FIPS.jar
- Closed
- relates to
-
JDK-8250787 Provider.put no longer registering aliases in FIPS env
- Resolved
-
JDK-8246613 Choose the default SecureRandom algo based on registration ordering
- Closed