Bug 21614

Summary: Keyring file cannot be read using IBM 1.4.0 JRE
Product: [Eclipse Project] Platform Reporter: Tim Ellison <t.p.ellison>
Component: ResourcesAssignee: DJ Houghton <dj.houghton>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: john.arthorne, Kevin_McGuire
Version: 2.0   
Target Milestone: 2.0.1   
Hardware: All   
OS: Windows 2000   
Whiteboard:

Description Tim Ellison CLA 2002-07-16 07:33:46 EDT 
Build R2.0

Eclipse fails to read the .keyring file containing CVS passwords when running 
on IBM JDK 1.4.0, and leaves it corrupted, as follows:

java.io.IOException: SHA1PRNG SecureRandom not available
  at org.eclipse.core.internal.runtime.CipherInputStream.read
(CipherInputStream.java:71)
  at java.io.ObjectInputStream$PeekInputStream.read(ObjectInputStream.java:2138)
  at java.io.ObjectInputStream$PeekInputStream.readFully
(ObjectInputStream.java:2151)
  at java.io.ObjectInputStream$BlockDataInputStream.readShort
(ObjectInputStream.java:2622)
  at java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:729)
  at java.io.ObjectInputStream.<init>(ObjectInputStream.java:254)
  at org.eclipse.core.internal.runtime.AuthorizationDatabase.load
(AuthorizationDatabase.java:260)
  at org.eclipse.core.internal.runtime.AuthorizationDatabase.load
(AuthorizationDatabase.java:248)
  at org.eclipse.core.internal.runtime.AuthorizationDatabase.<init>
(AuthorizationDatabase.java:73)
  at org.eclipse.core.internal.runtime.InternalPlatform.loadKeyring
(InternalPlatform.java:589)


The code fails because there is a hard coded reference to a Sun implementation 
of a random number stream "SHA1PRNG" (see 
org.eclipse.core.internal.runtime.Cipher#nextRandom(int)) that is unavailable 
by default in IBM's JRE.

The code should not reference a particular algorithm.

A work around is to add the following line to jre/lib/security/java.security:
security.provider.5=sun.security.provider.Sun
Comment 1 John Arthorne CLA 2002-07-16 10:56:32 EDT 
SHA1PRNG is listed as a standard algorithm name in the Java 2 SDK Security API 
(Appendix A).  That spec states that the algorithm names in that appendix are 
the standard required names.  Shouldn't all compliant JREs have that algorithm 
available?  It is available in IBM JRE 1.3 and in J9.

Since SHA1PRNG is the only specified algorithm name, the only alternative is to 
use the default constructor of SecureRandom.  The only problem with using it is 
that we won't know what algorithm is used.  This means the keyring file will 
probably never be portable across VMs.  It might also be difficult for export 
control requirements which require us to specify what encryption algorithms are 
used in the product.
Comment 2 John Arthorne CLA 2002-07-18 16:50:24 EDT 
I have released a fix to the HEAD (2.1) stream.  We're now using our own secure 
number generator based on SHA-1.  This also fixes our long-standing problem that 
SHA1PRNG produced a different bit stream on J9, thus .keyring files were never 
portable between J9 and non-J9 VMs.

We should consider as a 2.0.1 candidate.
Comment 3 Kevin McGuire CLA 2002-07-18 17:01:36 EDT 
I agree this should be 2.0.1.