Potential issues with javax.crypto under StructuredTaskScope/JDK22
Chris Marshall
oxbow_lakes at hotmail.com
Thu May 2 18:33:25 UTC 2024
Hi,
I work for an organisation which runs a number of applications inside an EKS cluster hosted in AWS. In order for the applications to communicate, they obtained bearer tokens from the AWS Cognito library, and in order to obtain the tokens, we have coded up User-SRP auth. This code has been running happily on JDK21 since October 2023, and before that in JDK17.
The User-SRP auth implementation (which we took from https://github.com/rundeck/repository/blob/master/repository-cli/src/main/groovy/com/rundeck/repository/auth/AuthenticationHelper.java) runs within our applications sometimes from within a platform thread, and in other cases on a virtual thread from inside a StructuredTaskScope. Again, this code has been live for over 6 months.
Last week I upgraded the application to be compiled by JDK22, and run on JDK22. Immediately, we started to see failures from within the User-SRP auth code only when it was run on a virtual thread from within a StructuredTaskScope. The failures are merely that the code appears to have calculated the wrong authentication response (i.e. AWS Cognito returns a message to the effect that we have the wrong username or password). It is not possible that this could be the case, because the same application, using the same username/password combo is able to successfully authenticate to AWS Cognito using User-SRP auth from a platform thread.
My conclusion has to be that, on JDK22, and only from a virtual thread (within a StructuredTaskScope?), the javax.crypto classes being used are not behaving as intended.
I realise that this is not much to go on; I am not a security expert, and nor do I know much about User-SRP, and don't really know how to go about constructing a reproducer for this. We cannot replicate the issue running locally on our machines from Windows; it only seems to happen from the machines inside our AWS cluster. This is the relevant information:
OS: Linux amd64/5.10.184-175.731.amzn2.x86_64
Java: Oracle Corporation OpenJDK 64-bit Server VM/22+36-2370
Classes used within User-SRP auth layer:
MessageDigest.getInstance("SHA-256")
SecureRandom.getInstance("SHA1PRNG")
Mac.getInstance("HmacSHA256")
I hope that this is helpful.
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240502/ee452d9f/attachment.htm>
More information about the security-dev
mailing list