-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
22
-
generic
-
generic
ADDITIONAL SYSTEM INFORMATION :
Oracle Corporation OpenJDK 64-Bit Server VM/22+36-2370; Linux amd64/5.10.184-175.731.amzn2.x86_64
A DESCRIPTION OF THE PROBLEM :
We implement User-SRP-auth with AWS Cognito. When upgraded from JDK21 to JDK22 the code "stops working" almost all the time, but only when it is invoked on a virtual thread from within a structured task scope, and only from the AWS infrastructure. We cannot reproduce the issue on Windows, even running the code from a docker image. When the code is invoked on a normal thread, it works. The error we get back from Cognito is just that we have the wrong password,
The code uses the following Crypto algorithms:
1. MessageDigest.getInstance("SHA-256"); used as a ThreadLocal
2. SecureRandom.getInstance("SHA1PRNG"); shared instance
3. Mac.getInstance("HmacSHA256"); instantiated and used on one thread
It's my contention that at least one of these is unsafe to use from a virtual thread within a structured task scope on the specific platform architecture we have
REGRESSION : Last worked in version 21.0.3
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Unable to supply a reproducible example, as the bug only manifests itself from within AWS infrastructure
FREQUENCY : often
Oracle Corporation OpenJDK 64-Bit Server VM/22+36-2370; Linux amd64/5.10.184-175.731.amzn2.x86_64
A DESCRIPTION OF THE PROBLEM :
We implement User-SRP-auth with AWS Cognito. When upgraded from JDK21 to JDK22 the code "stops working" almost all the time, but only when it is invoked on a virtual thread from within a structured task scope, and only from the AWS infrastructure. We cannot reproduce the issue on Windows, even running the code from a docker image. When the code is invoked on a normal thread, it works. The error we get back from Cognito is just that we have the wrong password,
The code uses the following Crypto algorithms:
1. MessageDigest.getInstance("SHA-256"); used as a ThreadLocal
2. SecureRandom.getInstance("SHA1PRNG"); shared instance
3. Mac.getInstance("HmacSHA256"); instantiated and used on one thread
It's my contention that at least one of these is unsafe to use from a virtual thread within a structured task scope on the specific platform architecture we have
REGRESSION : Last worked in version 21.0.3
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Unable to supply a reproducible example, as the bug only manifests itself from within AWS infrastructure
FREQUENCY : often