Merge pull request #744 from KostasTsiounis/secure_random

Revert to Java impl when non-default SecureRandom present
ibmruntimes · Dec 12, 2023 · 6f6d6a5 · 6f6d6a5
2 parents b9a45e8 + 158ea3f
commit 6f6d6a5
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 2 deletions.
diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java
@@ -39,6 +39,7 @@
 import java.security.KeyPair;
 import java.security.KeyPairGeneratorSpi;
 import java.security.PrivateKey;
+import java.security.Provider;
 import java.security.ProviderException;
 import java.security.PublicKey;
 import java.security.SecureRandom;
@@ -56,6 +57,7 @@
 
 import sun.security.ec.point.*;
 import sun.security.jca.JCAUtil;
+import sun.security.provider.Sun;
 import sun.security.util.ECUtil;
 
 import static sun.security.ec.ECOperations.IntermediateValueException;
@@ -97,6 +99,28 @@ public NativeECKeyPairGenerator() {
 
     @Override
     public void initialize(int keySize, SecureRandom random) {
+        if (random == null) {
+            if (nativeCryptTrace) {
+                System.err.println("No SecureRandom implementation was provided during"
+                        + " initialization. Using OpenSSL.");
+            }
+        } else if ((random.getProvider() instanceof Sun)
+            && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm()))
+        ) {
+            if (nativeCryptTrace) {
+                System.err.println("Default SecureRandom implementation was provided during"
+                        + " initialization. Using OpenSSL.");
+            }
+        } else {
+            if (nativeCryptTrace) {
+                System.err.println("SecureRandom implementation was provided during"
+                        + " initialization. Using Java implementation instead of OpenSSL.");
+            }
+            this.javaImplementation = new ECKeyPairGenerator();
+            this.javaImplementation.initialize(keySize, random);
+            return;
+        }
+
         if (keySize < KEY_SIZE_MIN) {
             throw new InvalidParameterException
                 ("Key size must be at least " + KEY_SIZE_MIN + " bits");
@@ -125,6 +149,28 @@ public void initialize(int keySize, SecureRandom random) {
     @Override
     public void initialize(AlgorithmParameterSpec params, SecureRandom random)
             throws InvalidAlgorithmParameterException {
+        if (random == null) {
+            if (nativeCryptTrace) {
+                System.err.println("No SecureRandom implementation was provided during"
+                        + " initialization. Using OpenSSL.");
+            }
+        } else if ((random.getProvider() instanceof Sun)
+            && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm()))
+        ) {
+            if (nativeCryptTrace) {
+                System.err.println("Default SecureRandom implementation was provided during"
+                        + " initialization. Using OpenSSL.");
+            }
+        } else {
+            if (nativeCryptTrace) {
+                System.err.println("SecureRandom implementation was provided during"
+                        + " initialization. Using Java implementation instead of OpenSSL.");
+            }
+            this.javaImplementation = new ECKeyPairGenerator();
+            this.javaImplementation.initialize(params, random);
+            return;
+        }
+
         ECParameterSpec ecSpec = null;
 
         if (params instanceof ECParameterSpec) {

diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java
@@ -38,6 +38,7 @@
 import java.security.KeyFactory;
 import java.security.KeyPair;
 import java.security.KeyPairGeneratorSpi;
+import java.security.Provider;
 import java.security.ProviderException;
 import java.security.PublicKey;
 import java.security.SecureRandom;
@@ -46,6 +47,8 @@
 
 import jdk.crypto.jniprovider.NativeCrypto;
 
+import sun.security.jca.JCAUtil;
+import sun.security.provider.Sun;
 import sun.security.util.BitArray;
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X509Key;
@@ -59,6 +62,7 @@ public class NativeXDHKeyPairGenerator extends KeyPairGeneratorSpi {
     private final XECParameters lockedParams;
 
     private XDHKeyPairGenerator javaImplementation;
+    private boolean useJavaImpl;
 
     public NativeXDHKeyPairGenerator() {
         tryInitialize(NamedParameterSpec.X25519);
@@ -105,10 +109,42 @@ private void initializeImpl(XECParameters params, SecureRandom random) {
         }
 
         ops = new XECOperations(params);
+        this.random = (random != null) ? random : JCAUtil.getSecureRandom();
+
+        useJavaImpl = false;
+        if (random == null) {
+            if (nativeCryptTrace) {
+                System.err.println("No SecureRandom implementation was provided during"
+                        + " initialization. Using OpenSSL.");
+            }
+        } else if ((random.getProvider() instanceof Sun)
+            && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm()))
+        ) {
+            if (nativeCryptTrace) {
+                System.err.println("Default SecureRandom implementation was provided during"
+                        + " initialization. Using OpenSSL.");
+            }
+        } else {
+            if (nativeCryptTrace) {
+                System.err.println("SecureRandom implementation was provided during"
+                        + " initialization. Using Java implementation instead of OpenSSL.");
+            }
+            useJavaImpl = true;
+        }
     }
 
     @Override
     public KeyPair generateKeyPair() {
+        /*
+         * When the keypair generator is initialized with
+         * anything other than the default SecureRandom
+         * implementation, use the Java implementation
+         * to generate the keypair.
+         */
+        if (useJavaImpl) {
+            return javaImplGenerateKeyPair();
+        }
+
         /* If library isn't loaded, use Java implementation. */
         if (!NativeCrypto.isAllowedAndLoaded()) {
             if (nativeCryptTrace) {
@@ -177,12 +213,16 @@ public KeyPair generateKeyPair() {
      */
     private void initializeJavaImplementation() {
         if (javaImplementation == null) {
-            if (isX25519(ops.getParameters())) {
+            if (lockedParams == null) {
+                javaImplementation = new XDHKeyPairGenerator();
+            } else if (isX25519(lockedParams)) {
                 javaImplementation = new XDHKeyPairGenerator.X25519();
             } else {
                 javaImplementation = new XDHKeyPairGenerator.X448();
             }
         }
+
+        javaImplementation.initialize(ops.getParameters().getBits(), random);
     }
 
     /*

diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
@@ -25,7 +25,7 @@
 
 /*
  * ===========================================================================
- * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved
+ * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved
  * ===========================================================================
  */
 
@@ -298,6 +298,7 @@
         java.rmi,
         java.security.jgss,
         jdk.crypto.cryptoki,
+        jdk.crypto.ec,
         jdk.security.auth;
     exports sun.security.provider.certpath to
         java.naming,