Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8220732

setSeed(long) java api doc is missing warning about provided seed quality

    Details

      Description

      A DESCRIPTION OF THE PROBLEM :
      java.security.SecureRandom#setSeed(byte[]) javadoc says:

      > ...
      > A PRNG {@code SecureRandom} will not seed itself automatically if
      > {@code setSeed} is called before any {@code nextBytes} or {@code reseed}
      > calls. The caller should make sure that the {@code seed} argument
      > contains enough entropy for the security of this {@code SecureRandom}.

      And given that this applies to java.security.SecureRandom#setSeed(long) as well, it should be indicated in its own javadoc or at least a "@see" tag should be added to #setSeed(long) as shown:

          /**
           * ...
           * @see #setSeed(byte[])
           * @see #getSeed
           */

      Failing to do so leaves to much room for unaware users to seed the SecureRandom in the following tempting but insecure way:

      SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
      random.setSeed(new Date().getTime());
      random.nextBytes(serno);



        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: