RSACore$BlindingParameters not using user-provided SecureRandom
Weijun Wang
weijun.wang at oracle.com
Wed Sep 12 08:23:46 UTC 2018
In src/java.base/share/classes/sun/security/rsa/RSACore.java:
353 BlindingParameters(BigInteger e, BigInteger d, BigInteger n) {
354 this.u = null;
355 this.v = null;
356 this.e = e;
357 this.d = d;
358
359 int len = n.bitLength();
** 360 SecureRandom random = JCAUtil.getSecureRandom();
361 u = new BigInteger(len, random).mod(n);
Here, it is not using the SecureRandom passed into init() of either Signature or Cipher. Is this a bug we should fix?
Thanks
Max
More information about the security-dev
mailing list