JDK-5061398 : RFE: BigInteger is immutable
  • Type: Enhancement
  • Component: core-libs
  • Sub-Component: java.math
  • Affected Version: 1.4.2
  • Priority: P4
  • Status: Closed
  • Resolution: Won't Fix
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2004-06-10
  • Updated: 2004-06-16
  • Resolved: 2004-06-16
Related Reports
Relates :  
JDK-6263419 - No way to clean the memory for a java.security.Key
Description

Name: rmT116609			Date: 06/10/2004


A DESCRIPTION OF THE REQUEST :
As BigInteger is often used in cryptographic applications to hold sensitive secrets (Private Keys), it's immutable makes it hard to preserve these secrets, as operating on the sensitive BigIntegers will result in the secret being copied all over memory, or even likely getting swapped to disk.

JUSTIFICATION :
Having control over cryptographic secrets is a must for many secure applications.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A mutable BigInteger so control over destruction of cryptographic secrets can be achieved.
ACTUAL -
BigInteger copies the bytearray used in every operation as part of the operation to ensure the immutability invariant. This makes it impossible to control destruction of cryptograpic secrets.

(Incident Review ID: 277045) 
======================================================================
Comments
EVALUATION The immutability of BigInteger is a fundamental component of the api's design. Changing this aspect of the design would be a very drastic alteration of the api. One way to accomplish the destruction aspect of the goal would be to add a destroy() method that would cause all subsequent uses of the object to throw an IllegalStateException, which would impact all uses of BigIntegers. The key leakage concerns have previously considered but not judged to be serious enough of a threat to justify changing BigInteger in this way. ###@###.### 2004-06-15
15-06-2004