MessageDigest seems not Cloneable

ibmruntimes / openj9-openjdk-jdk11

Extensions for OpenJDK 11 for Eclipse OpenJ9

GNU General Public License v2.0

32 stars 111 forks source link

MessageDigest seems not Cloneable #665

Closed WilburZjh closed 1 year ago

WilburZjh commented 1 year ago

In JDK11, it seems that the MessageDigest object initialized from provider such as SunPKCS11-NSS-FIPS is not cloneable. The following code is the sample test.

import java.security.MessageDigest;

class testMD {

    public static void main(String[] args) throws Exception {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        System.out.println("Debug - provider: " + md.getProvider());
        System.out.println("Debug - cloneable: " + (md instanceof Cloneable));
    }

}

After compiling and running, we got the following message.

javac testMD.java
------------------
java -Dsemeru.fips=true testMD
Debug - provider: SunPKCS11-NSS-FIPS version 11
Debug - cloneable: false

In jdk11, it seems that the MessageObject is not cloneable.

We are using the latest code from openj9-openjdk-jdk11/openj9 branch.

taoliult commented 1 year ago

@WilburZjh

From my last investigation, in JDK11, "md instanceof Cloneable" will return false, when the md is from the SunPKCS11-NSS-FIPS. But when I take a look at the MessageDigest code, the "P11Digest" from the SunPKCS11-NSS-FIPS, it actually implements Cloneable interface. So, not sure why it return false. But from JDK17 and above, no such issue.

final class P11Digest extends MessageDigestSpi implements Cloneable, MessageDigestSpi2

keithc-ca commented 1 year ago

The difference, as I explained in https://github.com/ibmruntimes/openj9-openjdk-jdk11/pull/662#discussion_r1219908565, is that in Java 17 and later version, MessageDigest.Delegate.CloneableDelegate is used instead of MessageDigest.Delegate when the original digest object is cloneable.

keithc-ca commented 1 year ago

Perhaps the solution to the situation explained here (https://github.com/ibmruntimes/openj9-openjdk-jdk11/pull/662#discussion_r1220265136) is to catch NoSuchAlgorithmException for the SUN provider as well.

taoliult commented 1 year ago

@keithc-ca Thanks for this https://github.com/ibmruntimes/openj9-openjdk-jdk17/commit/b88cc7219e1bd53bda2adefa8cfffb3bfbc0f8f9. And this commmit updated the java.security.MessageDigest to return Cloneable object, and it looks like, fixed the Cloneable check issue in HmacCore. Do you know, why this change did not backport to OpenJDK11?

keithc-ca commented 1 year ago

Fixed via https://github.com/ibmruntimes/openj9-openjdk-jdk11/pull/667.