Current BC master (Java) fails tests

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Current BC master (Java) fails tests

Uri Blumenthal
Here’s the error:

setSeed() failed

java.security.ProviderException: setSeed() failed
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:472)
at sun.security.provider.NativePRNG$RandomIO.access$300(NativePRNG.java:331)
at sun.security.provider.NativePRNG.engineSetSeed(NativePRNG.java:214)
at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:209)
at java.security.SecureRandom.<init>(SecureRandom.java:190)
at org.bouncycastle.jcajce.provider.test.HybridRandomProviderTest.testCheckForStackOverflow(Unknown Source)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:23)
at junit.extensions.TestSetup$1.protect(TestSetup.java:23)
at junit.extensions.TestSetup.run(TestSetup.java:27)
Caused by: java.io.IOException: Operation not permitted
at java.io.FileOutputStream.writeBytes(Native Method)
at java.io.FileOutputStream.write(FileOutputStream.java:313)
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:470)

MacOS 10.13.6, JDK-1.8.0_181.


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Current BC master (Java) fails tests

David Hook-3

This appears to be saying that a setSeed call on the native PRNG has failed. It's not actually managing to call any Bouncy Castle provider code.

The "Caused by: java.io.IOException: Operation not permitted" is the give away.

Is there anything unusual about the way the JVM is configured?

Regards,

David

On 12/08/18 13:05, Uri Blumenthal wrote:
Here’s the error:

setSeed() failed

java.security.ProviderException: setSeed() failed
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:472)
at sun.security.provider.NativePRNG$RandomIO.access$300(NativePRNG.java:331)
at sun.security.provider.NativePRNG.engineSetSeed(NativePRNG.java:214)
at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:209)
at java.security.SecureRandom.<init>(SecureRandom.java:190)
at org.bouncycastle.jcajce.provider.test.HybridRandomProviderTest.testCheckForStackOverflow(Unknown Source)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:23)
at junit.extensions.TestSetup$1.protect(TestSetup.java:23)
at junit.extensions.TestSetup.run(TestSetup.java:27)
Caused by: java.io.IOException: Operation not permitted
at java.io.FileOutputStream.writeBytes(Native Method)
at java.io.FileOutputStream.write(FileOutputStream.java:313)
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:470)

MacOS 10.13.6, JDK-1.8.0_181.


Reply | Threaded
Open this post in threaded view
|

Re: Current BC master (Java) fails tests

Uri Blumenthal
The only change I'm aware of is that is uses /dev/urandom. Otherwise - a perfectly standard installation, same as all the previous JVM/JDK that were installed (and had BC built and tested on them).

I'll experiment with reverting it back to /dev/random, and report here. Though of course, BC shouldn't fail tests because of that.

Sent from my test iPhone

On Aug 11, 2018, at 23:21, David Hook <[hidden email]> wrote:


This appears to be saying that a setSeed call on the native PRNG has failed. It's not actually managing to call any Bouncy Castle provider code.

The "Caused by: java.io.IOException: Operation not permitted" is the give away.

Is there anything unusual about the way the JVM is configured?

Regards,

David

On 12/08/18 13:05, Uri Blumenthal wrote:
Here’s the error:

setSeed() failed

java.security.ProviderException: setSeed() failed
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:472)
at sun.security.provider.NativePRNG$RandomIO.access$300(NativePRNG.java:331)
at sun.security.provider.NativePRNG.engineSetSeed(NativePRNG.java:214)
at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:209)
at java.security.SecureRandom.<init>(SecureRandom.java:190)
at org.bouncycastle.jcajce.provider.test.HybridRandomProviderTest.testCheckForStackOverflow(Unknown Source)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:23)
at junit.extensions.TestSetup$1.protect(TestSetup.java:23)
at junit.extensions.TestSetup.run(TestSetup.java:27)
Caused by: java.io.IOException: Operation not permitted
at java.io.FileOutputStream.writeBytes(Native Method)
at java.io.FileOutputStream.write(FileOutputStream.java:313)
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:470)

MacOS 10.13.6, JDK-1.8.0_181.


Reply | Threaded
Open this post in threaded view
|

Re: Current BC master (Java) fails tests

David Hook-3

I don't know if that would be it, might be, but I would have thought /dev/random would make the problem worse.

There's two things going on: SecureRandom.getDefaultPRNG() seems to be returning the SunNative RNG and not the BC one despite the addition of BC as the number 1 provider in the test, and then it's getting an IOException because it cannot write the seed material to the device the native RNG is using (I guess).

Is there another version of BC somewhere - it's a two line test, neither line appears to be working, and in neither case is it due to anything in BC.

Regards,

David

On 12/08/18 13:44, Uri Blumenthal wrote:
The only change I'm aware of is that is uses /dev/urandom. Otherwise - a perfectly standard installation, same as all the previous JVM/JDK that were installed (and had BC built and tested on them).

I'll experiment with reverting it back to /dev/random, and report here. Though of course, BC shouldn't fail tests because of that.

Sent from my test iPhone

On Aug 11, 2018, at 23:21, David Hook <[hidden email]> wrote:


This appears to be saying that a setSeed call on the native PRNG has failed. It's not actually managing to call any Bouncy Castle provider code.

The "Caused by: java.io.IOException: Operation not permitted" is the give away.

Is there anything unusual about the way the JVM is configured?

Regards,

David

On 12/08/18 13:05, Uri Blumenthal wrote:
Here’s the error:

setSeed() failed

java.security.ProviderException: setSeed() failed
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:472)
at sun.security.provider.NativePRNG$RandomIO.access$300(NativePRNG.java:331)
at sun.security.provider.NativePRNG.engineSetSeed(NativePRNG.java:214)
at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:209)
at java.security.SecureRandom.<init>(SecureRandom.java:190)
at org.bouncycastle.jcajce.provider.test.HybridRandomProviderTest.testCheckForStackOverflow(Unknown Source)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:23)
at junit.extensions.TestSetup$1.protect(TestSetup.java:23)
at junit.extensions.TestSetup.run(TestSetup.java:27)
Caused by: java.io.IOException: Operation not permitted
at java.io.FileOutputStream.writeBytes(Native Method)
at java.io.FileOutputStream.write(FileOutputStream.java:313)
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:470)

MacOS 10.13.6, JDK-1.8.0_181.



Reply | Threaded
Open this post in threaded view
|

Re: Current BC master (Java) fails tests

Uri Blumenthal
On Aug 12, 2018, at 0:41 , David Hook <[hidden email]> wrote:

I don't know if that would be it, might be, but I would have thought /dev/random would make the problem worse.

Ha… /dev/random made it better. Changing

securerandom.source=file:/dev/urandom

to

securerandom.source=file:/dev/random

made all the tests to pass again.

There's two things going on: SecureRandom.getDefaultPRNG() seems to be returning the SunNative RNG and not the BC one despite the addition of BC as the number 1 provider in the test, and then it's getting an IOException because it cannot write the seed material to the device the native RNG is using (I guess).

Yes...

Is there another version of BC somewhere - it's a two line test, neither line appears to be working, and in neither case is it due to anything in BC.

Actually, on my systems BC is added as 11th (for Java-8) and 14th (for Java-10) provider in java.security. But during the tests the only BC jars are those built in build/artifacts/jdk1.5/jars. Because BC jars are removed from /Library/Java/Extensions, and installed back only after the tests pass.

P.S. I’m having heck of a time trying to compile sample classes that use BC, with Java-10. Here’s what I get:

$ `java_home -v 10`/bin/javac -p /Library/Java/Extensions t2.java
t2.java:9: error: package org.bouncycastle.util.encoders is not visible
import org.bouncycastle.util.encoders.Hex;
                            ^
  (package org.bouncycastle.util.encoders is declared in module bcprov.ext.jdk15on, which is not in the module graph)
t2.java:13: error: package org.bouncycastle.jce.provider is not visible
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
                                                 ^
  (package org.bouncycastle.jce.provider is declared in module bcprov.ext.jdk15on, which is not in the module graph)
2 errors

I can run this class using JDK-10 if I compile it with JDK-8:

$ javac t2.java
$ `java_home -v 10`/bin/java --module-path /Library/Java/Extensions t2
Using RSA/ECB/OAEPWithSHA-384AndMGF1Padding from SunJCE version 10
orig. : abc
cipher: 96c2ee2fbb2f5f2fdb746518a160bfa72b5c60ae791ca5d2813e014613ad53aabc6050dd44f64ca8b56ee2076ca7f6ccf2ab8df2af40a56a05a23f6a6dd56124a4c246d07039818fec00bd9f7be08b26fd587bfe7a289f307dfa94572312230a4df7ae2e44687c6a68c83a9fe7b61422e8f554013f4a6c9e60221132ad8b1f2b
plain : abc

The source is here (it’s an old and simple sample class that uses only encoders.Hex from BC:

import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.Security;

import javax.crypto.Cipher;

import org.bouncycastle.util.encoders.Hex;

public class t2 {
  public static void main(String[] args) throws Exception {
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

    byte[] input = "abc".getBytes();
    Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-384AndMGF1Padding");
    SecureRandom random = new SecureRandom();
    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");

    generator.initialize(1024, random);

    KeyPair pair = generator.generateKeyPair();
    Key pubKey = pair.getPublic();

    Key privKey = pair.getPrivate();

    cipher.init(Cipher.ENCRYPT_MODE, pubKey, random);

    System.out.println("Using "+cipher.getAlgorithm() + " from " +
      cipher.getProvider());
    System.out.println("orig. : " + new String(input));
    byte[] cipherText = cipher.doFinal(input);
    System.out.println("cipher: " + Hex.toHexString(cipherText));

    cipher.init(Cipher.DECRYPT_MODE, privKey);
    byte[] plainText = cipher.doFinal(cipherText);
    System.out.println("plain : " + new String(plainText));
  }
}

I get similar results with classes that use ciphers from BC like AES/OCB, etc.


On 12/08/18 13:44, Uri Blumenthal wrote:
The only change I'm aware of is that is uses /dev/urandom. Otherwise - a perfectly standard installation, same as all the previous JVM/JDK that were installed (and had BC built and tested on them).

I'll experiment with reverting it back to /dev/random, and report here. Though of course, BC shouldn't fail tests because of that.

Sent from my test iPhone

On Aug 11, 2018, at 23:21, David Hook <[hidden email]> wrote:


This appears to be saying that a setSeed call on the native PRNG has failed. It's not actually managing to call any Bouncy Castle provider code.

The "Caused by: java.io.IOException: Operation not permitted" is the give away.

Is there anything unusual about the way the JVM is configured?

Regards,

David

On 12/08/18 13:05, Uri Blumenthal wrote:
Here’s the error:

setSeed() failed

java.security.ProviderException: setSeed() failed
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:472)
at sun.security.provider.NativePRNG$RandomIO.access$300(NativePRNG.java:331)
at sun.security.provider.NativePRNG.engineSetSeed(NativePRNG.java:214)
at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:209)
at java.security.SecureRandom.<init>(SecureRandom.java:190)
at org.bouncycastle.jcajce.provider.test.HybridRandomProviderTest.testCheckForStackOverflow(Unknown Source)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:23)
at junit.extensions.TestSetup$1.protect(TestSetup.java:23)
at junit.extensions.TestSetup.run(TestSetup.java:27)
Caused by: java.io.IOException: Operation not permitted
at java.io.FileOutputStream.writeBytes(Native Method)
at java.io.FileOutputStream.write(FileOutputStream.java:313)
at sun.security.provider.NativePRNG$RandomIO.implSetSeed(NativePRNG.java:470)

MacOS 10.13.6, JDK-1.8.0_181.





signature.asc (499 bytes) Download Attachment