Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8215250

KeyPairGenerator.initialize(int, SecureRandom) don't use the given source

    XMLWordPrintable

    Details

      Description

      ADDITIONAL SYSTEM INFORMATION :
      Compiler: javac 1.8.0_191
      JRE -8 : java version "1.8.0_191"
                        Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
                        Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode)

      JRE-11 : java version "11.0.1" 2018-10-16 LTS
                       Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS)
                       Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)


      A DESCRIPTION OF THE PROBLEM :
      java.security.KeyPairGenerator.initialize(int, SecureRandom) don't use the given source of randomness (SecureRandom object).

      REGRESSION : Last worked in version 8u191

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      * Compile the given program Using JDK 8
      * Run using JRE 8. Prints a non zero value (expected)
      * Run using JRE 11. Prints zero (not expected)


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      KeyPairGenerator must use the supplied source of randomness .
      ACTUAL -
      Under JRE 11 KeyPairGenerator does not use the given source of randomness.
      Instead it uses the value supplied by sun.security.jca.JCAUtil.getSecureRandom()

      When sun.security.rsa.RSAKeyPairGenerator.initialize(int , SecureRandom) is delegating to
      sun.security.rsa.RSAKeyPairGenerator.initialize(AlgorithmParameterSpec params, SecureRandom random) the last parameter is explicitly passed as a null value.

      From RSAKeyPairGenerator.java:
          public void initialize(int keySize, SecureRandom random) {
              try {
                  initialize(new RSAKeyGenParameterSpec(keySize,
                          RSAKeyGenParameterSpec.F4), null);
              } catch (InvalidAlgorithmParameterException iape) {
                  throw new InvalidParameterException(iape.getMessage());
              }
          }







      ---------- BEGIN SOURCE ----------
      import java.security.KeyPairGenerator;
      import java.security.SecureRandom;
      import java.security.SecureRandomSpi;
      import java.util.concurrent.atomic.AtomicInteger;

      @SuppressWarnings("null")
      public class Test
      {
      public static void main(String[] args)throws Exception
      {
      AtomicInteger usageCount = new AtomicInteger();
      SecureRandom delegate = new SecureRandom();
      class TestSecureRandomSpi extends SecureRandomSpi
      {
      @Override
      protected void engineSetSeed(byte[] seed)
      {
      delegate.setSeed(seed);
      }

      @Override
      protected void engineNextBytes(byte[] bytes)
      {
      usageCount.incrementAndGet();
      delegate.nextBytes(bytes);
      }

      @Override
      protected byte[] engineGenerateSeed(int numBytes)
      {
      usageCount.incrementAndGet();
      return delegate.generateSeed(numBytes);
      }
      }

      class TestSecureRandom extends SecureRandom
      {
      TestSecureRandom ()
      {
      super(new TestSecureRandomSpi(), delegate.getProvider());
      }
      }

      KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
      keyPairGenerator.initialize(2048, new TestSecureRandom());
      keyPairGenerator.generateKeyPair();
      System.out.println(usageCount.get());
      }
      }
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      None.

      FREQUENCY : always


        Attachments

          Issue Links

            Activity

              People

              Assignee:
              psonal Pallavi Sonal (Inactive)
              Reporter:
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: