Bug ID: JDK-6505528 SecureRandom with SHA1PRNG works incorrectly when application is run first time

Type: Bug
Component: deploy
Sub-Component: webstart
Affected Version: 6

Priority: P4
Status: Closed
Resolution: Fixed
OS: windows_xp
CPU: x86

Submitted: 2006-12-18
Updated: 2011-03-08
Resolved: 2011-03-08

JDK 7
7 b13Fixed

FULL PRODUCT VERSION :
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
After first installation of WebStart application Test.java class SecureRandom seems to work  incorrectly ie. random.setSeed(seed) does not seed it properly. It seems to produce random numbers and not pseudorandom numbers deterministically.

When application is started again SecureRandom works as expected.
Test.java started from the command prompt also works as expected.

Our applications use SecureRandom to generate application licenses so this bug prevents our applications from starting properly.
Also our decryption and encryption modules which use SecureRandom seem
to fail when application is run for the first time.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile Test.java and create test.jar
Below is a build script build.cmd:
javac   Test.java
jar -cvf test.jar Test.class

Copy test.jar and attached test.jnlp to some server. Our server in test is www.superpass.de.

Run test script below jwstest.cmd:
C:\jdk1.6.0\bin\javaws -verbose -uninstall
C:\jdk1.6.0\bin\javaws -verbose http://www.superpass.de/test.jnlp
pause Press any button to continue
C:\jdk1.6.0\bin\javaws -verbose http://www.superpass.de/test.jnlp

Check output from the Java console !


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Web Start Test 10 equals 10 equals 10
ACTUAL -
Web Start Test 10 equals -16 equals -47

Random numbers generated are different in each test run.


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Test.java:

import java.security.SecureRandom;
public class Test {
  public static void main(String[] args) {
    byte z[] = {0,0} ;
	String msg = "";
    try {
      byte tmp[] = {0};
      SecureRandom random =  SecureRandom.getInstance("SHA1PRNG","SUN");
      byte seed[] = new byte[1];
      seed[0] = 1;
      random.setSeed(seed);
      random.nextBytes(tmp);
      random = null;
      z[0] = tmp[0];
    } catch(Exception e)
	{
      e.printStackTrace();
    }
    try {
      byte tmp[] = {0};
      SecureRandom random = SecureRandom.getInstance("SHA1PRNG","SUN");
      byte seed[] = new byte[1];
      seed[0] = 1;
      random.setSeed(seed);
      random.nextBytes(tmp);
      random = null;
      z[1] = tmp[0];
    } catch(Exception e)
    {
      e.printStackTrace();
    }
    msg = "Web Start Test " + 10 + " equals " + z[0] + " equals " +   z[1];
    System.out.println(msg);
  }
}

test.jnlp :

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://www.superpass.de" href="test.jnlp">
 <information>
  <title>Test</title>
  <vendor>Test</vendor>
  <homepage href="http://www.superpass.de"/>
  <description>Test</description>
  <description kind="short">Test</description>
  <offline-allowed/>
  </information>
 <resources>
  <j2se version="1.5+"/>
  <jar href="test.jar"/>
 </resources>
 <resources os="Windows">
 </resources>
 <resources os="Linux">
 </resources>
 <application-desc main-class="Test"/>
</jnlp>


---------- END SOURCE ----------

EVALUATION This is due to our own implementation of SecureRandomSpi: WSecureRandom, the WSecureRandom is created for generated seed using Win API instead of default Sun provider, which happens take too long to generate a seed. But in WSecureRandom class, we generate seed every time and call engineSetSeed in Constructor, when user is trying to use SecureRandom and set seed by themself, we overide their seed, that is not correct.

13-02-2007