<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Symbol";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText">Hi Valerie,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thanks for your comments! They sparked off a lot more investigation on my end. I created a test provider and could not reproduce the issue. That led me to investigate how our provider was being installed. We use our own internal
Initializer() class to install providers in various orders (we have had to work around bugs in different JVM's in the past). That work-around required we remove the provider from the Security provider list (basically to clean it out), then we run a simple
crypto test with a new instantiation, and then install that provider in 1st position.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">For example, here is the provider installation code that fails with 11.08. It fails differently with 11.07 (I believe you fixed that issue) and it worked with 11.06.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> // Remove Entrust JCA/JCE CSP<o:p></o:p></p>
<p class="MsoPlainText"> Security.removeProvider("Entrust");<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> //work around for IBM JDK 1.4 issue<o:p></o:p></p>
<p class="MsoPlainText"> Provider entrustCsp = new Entrust();<o:p></o:p></p>
<p class="MsoPlainText"> try {<o:p></o:p></p>
<p class="MsoPlainText"> MessageDigest digestAlg = MessageDigest.getInstance("SHA-1", entrustCsp);<o:p></o:p></p>
<p class="MsoPlainText"> digestAlg.digest();<o:p></o:p></p>
<p class="MsoPlainText"> } catch (NoSuchAlgorithmException e) {<o:p></o:p></p>
<p class="MsoPlainText"> throw new EntrustProviderTamperedException("MessageDigest", e);<o:p></o:p></p>
<p class="MsoPlainText"> }<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> // Install the Entrust and IAIK JCA/JCE CSP in the first two<o:p></o:p></p>
<p class="MsoPlainText"> // positions<o:p></o:p></p>
<p class="MsoPlainText"> <span style="background:yellow;mso-highlight:yellow">
Security.insertProviderAt(entrustCsp, 1);</span><o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">If I change the highlighted line above (the last line) to the following, it works.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> Security.insertProviderAt(new Entrust(), 1);<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Having to make such a change seems strange. It seems that creating a new provider, using it to get an instance of an algorithm, and then adding that same provider into first position doesn’t work. I'm guessing because of the recent
changes you made the provider can’t be used before it is inserted into the provider order because it may hold onto some data from the previous usage? So this led me to investigate some more…..<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I debugged and found in fails in the SecureRandom and Provider.java classese:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">SecureRandom:<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// per javadoc, if none of the Providers support a RNG algorithm,</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// then an implementation-specific default is returned.</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">if</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> (prngService ==
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">null</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">) {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> prngAlgorithm =
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#2A00FF">"SHA1PRNG"</span><span style="font-size:10.0pt;font-family:"Courier New";color:black">;</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">this</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">.secureRandomSpi =
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">new</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> sun.security.provider.SecureRandom();</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">this</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">.provider = Providers.getSunProvider();</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">else</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">try</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:yellow;mso-highlight:yellow">this</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:yellow;mso-highlight:yellow">.secureRandomSpi
= (SecureRandomSpi)</span><span style="font-size:10.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:yellow;mso-highlight:yellow"> prngService.newInstance(</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:yellow;mso-highlight:yellow">null</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:yellow;mso-highlight:yellow">);</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">this</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">.provider = prngService.getProvider();<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-size:10.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-size:10.0pt;font-family:"Courier New";color:black">Provider:<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">public</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> Object newInstance(Object constructorParameter)</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">throws</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> NoSuchAlgorithmException {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">if</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> (registered ==
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">false</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">) {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:#C6DBAE">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:yellow;mso-highlight:yellow">if</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:yellow;mso-highlight:yellow"> (provider.getService(type,
algorithm) != </span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:yellow;mso-highlight:yellow">this</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:yellow;mso-highlight:yellow">)
{</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">throw</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">new</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> NoSuchAlgorithmException</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> (</span><span style="font-size:10.0pt;font-family:"Courier New";color:#2A00FF">"Service not registered with Provider
"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> + provider.getName() +
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#2A00FF">": "</span><span style="font-size:10.0pt;font-family:"Courier New";color:black"> +
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">this</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">);</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> registered =
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">true</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">;</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> Class<?> ctrParamClz;<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">When it fails, the type and algorithm are “SecureRandom” and “DRBGUsingSHA512”
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The Provider.getService() code fails to match the “previousKey” ServiceKey type and algorithms. In my test code I was testing an AES algorithm, so the previous key type and Algorithm is “Cipher” and “<span style="font-size:10.0pt;font-family:"Courier New"">AES/CBC/PKCS5PADDING”
in the getService() call which doesn’t match the type “SecureRandom” and “DRBGUsingSHA512”. So it looks like there is a bug caused by holding on to existing data.
<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-size:10.0pt;font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-size:10.0pt;font-family:"Courier New"">Provider.getService():</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">public</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> Service getService(String type, String algorithm) {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> checkInitialized();</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// avoid allocating a new ServiceKey object if possible</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
<span style="background:yellow;mso-highlight:yellow">ServiceKey key = previousKey;</span></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:#C6DBAE">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:#C6DBAE">if</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:#C6DBAE"> (key.matches(type, algorithm) ==
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:#C6DBAE">false</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black;background:#C6DBAE">) {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> key =
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">new</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ServiceKey(type, algorithm,
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">false</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">);</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
<span style="background:#F0D8A8">previousKey</span> = key;</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">if</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> (!serviceMap.isEmpty()) {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> Service s = serviceMap.get(key);</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">if</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> (s !=
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">null</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">) {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> </span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">return</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">
s;</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">synchronized</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> (</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">this</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">)
{</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ensureLegacyParsed();</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">if</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> (legacyMap !=
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">null</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> && !legacyMap.isEmpty()) {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">return</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> legacyMap.get(key);</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">return</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">null</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">;</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// ServiceKey from previous getService() call</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// by re-using it if possible we avoid allocating a new object</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// and the toUpperCase() call.</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// re-use will occur e.g. as the framework traverses the provider</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// list and queries each provider with the same values until it finds</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#3F7F5F">// a matching service</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">private</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">static</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">volatile</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ServiceKey
<span style="background:#F0D8A8">previousKey</span> =</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">new</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ServiceKey(</span><span style="font-size:10.0pt;font-family:"Courier New";color:#2A00FF">""</span><span style="font-size:10.0pt;font-family:"Courier New";color:black">,
</span><span style="font-size:10.0pt;font-family:"Courier New";color:#2A00FF">""</span><span style="font-size:10.0pt;font-family:"Courier New";color:black">,
</span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#7F0055">false</span></b><span style="font-size:10.0pt;font-family:"Courier New";color:black">);</span><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">So I think when I create a brand new Entrust() instance it works because the previous ServiceKey() contains the correct data and it matches. Debugging showed it to work that way. So I think using a provider before installing it in
the provider order is what is causing the issue because of internal data in the Provider class.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">It looks like I *<b>could</b>* put in this weird work-around (just create a fresh instance of Entrust()) when installing the provider to work around the issue, but I wonder if there will be other consequences because of the way this
previousKey is used? I can make the simple change to our toolkit without breaking FIPS (the initialization class is not in the FIPS boundary). In fact, I assume I don’t need to keep that old work-around for the old IBM JVM anymore either..<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thanks for your help! <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Happy July 4<sup>th</sup> (I live in Ottawa Canada, so we had our muted Canada day celebrations a couple days ago on July 1<sup>st</sup>).
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">John Gray<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Valerie Peng [mailto:valerie.peng@oracle.com] <br>
Sent: Thursday, July 2, 2020 8:34 PM<br>
To: John Gray <John.Gray@entrustdatacard.com>; security-dev@openjdk.java.net<br>
Cc: John Mahoney <John.Mahoney@entrustdatacard.com>; Muthu Kannappan <muthu@entrustdatacard.com><br>
Subject: Re: [EXTERNAL]Re: SecureRandom regression with certain security providers</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hi John,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Unfortunately this cannot wait til July 13th if this issue needs to be fixed for jdk 15.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Maybe you can try the webrev out or share more details on how Entrust provider does its registration and what Provider APIs it overrides. I need more info to help identifying the trigger for the NSAE in Entrust's case. I have verified
that the current webrev works with BCFIPS provider.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Regards and an early happy July 4th,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Valerie<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 7/2/2020 3:17 PM, Valerie Peng wrote:<o:p></o:p></p>
<p class="MsoPlainText">> I can certainly help you verify the fix. Let me know how I can help
<o:p></o:p></p>
<p class="MsoPlainText">> verify it for you. <span style="font-family:"Segoe UI Symbol",sans-serif">
😊</span><o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Note: I will be on vacation next week, so I'll be back July 13th...
<o:p></o:p></p>
</div>
</body>
</html>