8051408: NIST SP 800-90A SecureRandom implementations
Reviewed-by: wetmore, xuelei, coffeys
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider;
import java.security.AccessController;
import java.security.DrbgParameters;
import java.security.PrivilegedAction;
import java.security.SecureRandomParameters;
import java.security.SecureRandomSpi;
import java.security.Security;
import java.util.Locale;
import static java.security.DrbgParameters.Capability.*;
/**
* Implement the "SecureRandom.DRBG" algorithm.
*
* About the default "securerandom.drbg.config" value:
*
* The default value in java.security is set to "". This is because
* the default values of different aspects are dependent (For example,
* strength depends on algorithm) and if we write a full string there
* it will be difficult to modify one and keep all others legal.
*
* When changing default values, touch all places including:
*
* 1. comments of the security property in java.security
* 2. Default mech, cap, usedf set in this class
* 3. Default algorithm set in final implementation of each mech
* 4. Default strength set in AbstractDrbg, but the effective
* value can be smaller if an algorithm does not support it.
*
* The default value is also mentioned in the @implNote part of
* {@link DrbgParameters} class.
*/
public final class DRBG extends SecureRandomSpi {
private static final String PROP_NAME = "securerandom.drbg.config";
private static final long serialVersionUID = 9L;
private final AbstractDrbg impl;
private final String mechName;
private final String algorithmName;
public DRBG(SecureRandomParameters params) {
// All parameters at unset status (null or -1).
// Configurable with the "securerandom.drbg.config" security property
String mech = null;
Boolean usedf = null;
String algorithm = null;
// Default instantiate parameters also configurable with
// "securerandom.drbg.config", and can be changed with params
// in getInstance("drbg", params)
int strength = -1;
DrbgParameters.Capability cap = null;
byte[] ps = null;
// Not configurable with public interfaces, but is a part of
// MoreDrbgParameters
EntropySource es = null;
byte[] nonce = null;
// Can be configured with a security property
String config = AccessController.doPrivileged((PrivilegedAction<String>)
() -> Security.getProperty(PROP_NAME));
if (config != null && !config.isEmpty()) {
for (String part : config.split(",")) {
part = part.trim();
switch (part.toLowerCase(Locale.ROOT)) {
case "":
throw new IllegalArgumentException(
"aspect in " + PROP_NAME + " cannot be empty");
case "pr_and_reseed":
checkTwice(cap != null, "capability");
cap = PR_AND_RESEED;
break;
case "reseed_only":
checkTwice(cap != null, "capability");
cap = RESEED_ONLY;
break;
case "none":
checkTwice(cap != null, "capability");
cap = NONE;
break;
case "hash_drbg":
case "hmac_drbg":
case "ctr_drbg":
checkTwice(mech != null, "mechanism name");
mech = part;
break;
case "no_df":
checkTwice(usedf != null, "usedf flag");
usedf = false;
break;
case "use_df":
checkTwice(usedf != null, "usedf flag");
usedf = true;
break;
default:
// For all other parts of the property, it is
// either an algorithm name or a strength
try {
int tmp = Integer.parseInt(part);
if (tmp < 0) {
throw new IllegalArgumentException(
"strength in " + PROP_NAME +
" cannot be negative: " + part);
}
checkTwice(strength >= 0, "strength");
strength = tmp;
} catch (NumberFormatException e) {
checkTwice(algorithm != null, "algorithm name");
algorithm = part;
}
}
}
}
// Can be updated by params
if (params != null) {
// MoreDrbgParameters is used for testing.
if (params instanceof MoreDrbgParameters) {
MoreDrbgParameters m = (MoreDrbgParameters)params;
params = m.config;
// No need to check null for es and nonce, they are still null
es = m.es;
nonce = m.nonce;
if (m.mech != null) {
mech = m.mech;
}
if (m.algorithm != null) {
algorithm = m.algorithm;
}
usedf = m.usedf;
}
if (params instanceof DrbgParameters.Instantiation) {
DrbgParameters.Instantiation dp =
(DrbgParameters.Instantiation) params;
// ps is still null by now
ps = dp.getPersonalizationString();
int tmp = dp.getStrength();
if (tmp != -1) {
strength = tmp;
}
cap = dp.getCapability();
} else {
throw new IllegalArgumentException("Unsupported params: "
+ params.getClass());
}
}
// Hardcoded defaults.
// Remember to sync with "securerandom.drbg.config" in java.security.
if (cap == null) {
cap = NONE;
}
if (mech == null) {
mech = "Hash_DRBG";
}
if (usedf == null) {
usedf = true;
}
MoreDrbgParameters m = new MoreDrbgParameters(
es, mech, algorithm, nonce, usedf,
DrbgParameters.instantiation(strength, cap, ps));
switch (mech.toLowerCase(Locale.ROOT)) {
case "hash_drbg":
impl = new HashDrbg(m);
break;
case "hmac_drbg":
impl = new HmacDrbg(m);
break;
case "ctr_drbg":
impl = new CtrDrbg(m);
break;
default:
throw new IllegalArgumentException("Unsupported mech: " + mech);
}
mechName = mech;
algorithmName = impl.algorithm;
}
@Override
protected void engineSetSeed(byte[] seed) {
impl.engineSetSeed(seed);
}
@Override
protected void engineNextBytes(byte[] bytes) {
impl.engineNextBytes(bytes);
}
@Override
protected byte[] engineGenerateSeed(int numBytes) {
return impl.engineGenerateSeed(numBytes);
}
@Override
protected void engineNextBytes(
byte[] bytes, SecureRandomParameters params) {
impl.engineNextBytes(bytes, params);
}
@Override
protected void engineReseed(SecureRandomParameters params) {
impl.engineReseed(params);
}
@Override
protected SecureRandomParameters engineGetParameters() {
return impl.engineGetParameters();
}
@Override
public String toString() {
return impl.toString();
}
/**
* Ensures an aspect is not set more than once.
*
* @param flag true if set more than once
* @param name the name of aspect shown in IAE
* @throws IllegalArgumentException if it happens
*/
private static void checkTwice(boolean flag, String name) {
if (flag) {
throw new IllegalArgumentException(name
+ " cannot be provided more than once in " + PROP_NAME);
}
}
}