JDK-8215250 : KeyPairGenerator.initialize(int, SecureRandom) don't use the given source
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 11.0.1
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2018-12-11
  • Updated: 2018-12-12
  • Resolved: 2018-12-12
Related Reports
Duplicate :  
JDK-8211049 - Second parameter of "initialize" method is not used
Description
ADDITIONAL SYSTEM INFORMATION :
Compiler: javac 1.8.0_191 
JRE -8     :  java version "1.8.0_191"
                  Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
                  Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode)

JRE-11   :  java version "11.0.1" 2018-10-16 LTS
                 Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS)
                 Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)


A DESCRIPTION OF THE PROBLEM :
java.security.KeyPairGenerator.initialize(int, SecureRandom) don't use the given source of randomness (SecureRandom object).

REGRESSION : Last worked in version 8u191

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
* Compile the given program Using JDK 8
* Run using JRE 8. Prints a non zero value (expected)
* Run using JRE 11. Prints zero (not expected)


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
KeyPairGenerator must use the supplied source of randomness .
ACTUAL -
Under JRE 11 KeyPairGenerator does not use the given source of randomness. 
Instead it uses the value supplied by sun.security.jca.JCAUtil.getSecureRandom()

When  sun.security.rsa.RSAKeyPairGenerator.initialize(int , SecureRandom) is delegating to 
sun.security.rsa.RSAKeyPairGenerator.initialize(AlgorithmParameterSpec params, SecureRandom random)  the last parameter is explicitly passed as a null value. 

From RSAKeyPairGenerator.java:
    public void initialize(int keySize, SecureRandom random) {
        try {
            initialize(new RSAKeyGenParameterSpec(keySize,
                    RSAKeyGenParameterSpec.F4), null);
        } catch (InvalidAlgorithmParameterException iape) {
            throw new InvalidParameterException(iape.getMessage());
        }
    }







---------- BEGIN SOURCE ----------
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.SecureRandomSpi;
import java.util.concurrent.atomic.AtomicInteger;

@SuppressWarnings("null")
public class Test 
{
	public static void main(String[] args)throws Exception
	{
		AtomicInteger usageCount = new AtomicInteger();
		SecureRandom delegate = new SecureRandom();
		class TestSecureRandomSpi extends SecureRandomSpi
		{
			@Override
			protected void engineSetSeed(byte[] seed)
			{
				delegate.setSeed(seed);
			}

			@Override
			protected void engineNextBytes(byte[] bytes)
			{
				usageCount.incrementAndGet();
				delegate.nextBytes(bytes);
			}

			@Override
			protected byte[] engineGenerateSeed(int numBytes)
			{
				usageCount.incrementAndGet();
				return delegate.generateSeed(numBytes);
			}
		}

		class TestSecureRandom extends SecureRandom
		{
			TestSecureRandom ()
			{
				super(new TestSecureRandomSpi(), delegate.getProvider());
			}
		}

		KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
		keyPairGenerator.initialize(2048, new TestSecureRandom());
		keyPairGenerator.generateKeyPair();
		System.out.println(usageCount.get());
	}
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
None.

FREQUENCY : always