JDK-6202721 : SHA1PRNG reads from /dev/random even if /dev/urandom selected
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0,5.0u6,5.0u11,6,6u13
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • OS: generic,linux
  • CPU: generic,x86
  • Submitted: 2004-12-01
  • Updated: 2013-04-12
  • Resolved: 2006-11-28
Related Reports
Duplicate :  
Duplicate :  
Duplicate :  
Relates :  
Description
If you do

import java.security.SecureRandom;
class JRand {
  public static void main(String args[]) throws Exception {
    System.out.println("Ok: " +
      SecureRandom.getInstance("SHA1PRNG").nextLong());
  }
}

then SecureRandom will read from /dev/random even if securerandom.source is configured to use /dev/urandom. This is a problem if /dev/urandom was chosen because /dev/random is not working properly.

The root cause is that 4705093 assigned special meaning to the string "/dev/urandom".

Comments
Should be clearer as a result of this bug.
2013-04-12

EVALUATION The new behavior is as intended, closing as not-a-bug. If the 1.4.2 behavior is required, use either of the workarounds listed above. Note that both workarounds work on 1.4.2 and 5.0 and exhibit the exactly same behavior.
2006-11-28

WORK AROUND Alternatively, set securerandom.source to file:/dev/./urandom With that setting in JDK 5.0, the behavior will be exactly the same as with file:/dev/urandom in 1.4.2.
2006-07-15

EVALUATION Right. ###@###.### 2005-04-18 21:35:12 GMT
2005-04-18

WORK AROUND Use 'new SecureRandom()' instead of 'SecureRandom.getInstance("SHA1PRNG")' ###@###.### 2004-12-01 22:30:25 GMT
2004-12-01