org.bouncycastle.jcajce.provider.drbg.DRBG Maven / Gradle / Ivy
Show all versions of bcprov-debug-jdk15to18 Show documentation
package org.bouncycastle.jcajce.provider.drbg;
import java.util.concurrent.ConcurrentLinkedDeque;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import org.bouncycastle.crypto.digests.SHA512Digest;
import org.bouncycastle.crypto.macs.HMac;
import org.bouncycastle.crypto.prng.EntropySource;
import org.bouncycastle.crypto.prng.EntropySourceProvider;
import org.bouncycastle.crypto.prng.SP800SecureRandom;
import org.bouncycastle.crypto.prng.SP800SecureRandomBuilder;
import org.bouncycastle.jcajce.provider.config.ConfigurableProvider;
import org.bouncycastle.jcajce.provider.symmetric.util.ClassUtil;
import org.bouncycastle.jcajce.provider.util.AsymmetricAlgorithmProvider;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.Pack;
import org.bouncycastle.util.Properties;
import org.bouncycastle.util.Strings;
* DRBG Configuration
* org.bouncycastle.drbg.gather_pause_secs - is to stop the entropy collection thread from grabbing all
* available entropy on the system. The original motivation for the hybrid infrastructure was virtual machines
* sometimes produce very few bits of entropy a second, the original approach (which "worked" at least for BC) was
* to just read on the second thread and allow things to progress around it, but it did tend to hog the system
* if other processes were using /dev/random. By default the thread will pause for 5 seconds between 64 bit reads,
* increasing this time will reduce the demands on the system entropy pool. Ideally the pause will be set to large
* enough to allow everyone to work together, but small enough to ensure the provider's DRBG is being regularly
* reseeded.
* org.bouncycastle.drbg.entropysource - is the class name for an implementation of EntropySourceProvider.
* For example, one could be provided which just reads directly from /dev/random and the extra infrastructure used here
* could be avoided.
public class DRBG
private static final String PREFIX = DRBG.class.getName();
// {"Provider class name","SecureRandomSpi class name"}
private static final String[][] initialEntropySourceNames = new String[][]
// Normal JVM
{"", ""},
// Apache harmony
{"", ""},
// Android.
{"", ""},
{"org.conscrypt.OpenSSLProvider", "org.conscrypt.OpenSSLRandom"},
// Cascade through providers looking for match.
private final static Object[] findSource()
for (int t = 0; t < initialEntropySourceNames.length; t++)
String[] pair = initialEntropySourceNames[t];
Object[] r = new Object[]{Class.forName(pair[0]).newInstance(), Class.forName(pair[1]).newInstance()};
return r;
catch (Throwable ex)
return null;
private static EntropyDaemon entropyDaemon = null;
private static Thread entropyThread = null;
entropyDaemon = new EntropyDaemon();
entropyThread = new Thread(entropyDaemon, "BC Entropy Daemon");
public static class Mappings
extends AsymmetricAlgorithmProvider
public Mappings()
public void configure(ConfigurableProvider provider)
provider.addAlgorithm("SecureRandom.DEFAULT", PREFIX + "$Default");
provider.addAlgorithm("SecureRandom.NONCEANDIV", PREFIX + "$NonceAndIV");
public static class Default
extends SecureRandomSpi
private static final SecureRandom random = createBaseRandom(true);
public Default()
protected void engineSetSeed(byte[] bytes)
protected void engineNextBytes(byte[] bytes)
protected byte[] engineGenerateSeed(int numBytes)
return random.generateSeed(numBytes);
public static class NonceAndIV
extends SecureRandomSpi
private static final SecureRandom random = createBaseRandom(false);
public NonceAndIV()
protected void engineSetSeed(byte[] bytes)
protected void engineNextBytes(byte[] bytes)
protected byte[] engineGenerateSeed(int numBytes)
return random.generateSeed(numBytes);
private static SecureRandom createBaseRandom(boolean isPredictionResistant)
if (Properties.getPropertyValue("org.bouncycastle.drbg.entropysource") != null)
EntropySourceProvider entropyProvider = createEntropySource();
EntropySource initSource = entropyProvider.get(16 * 8);
byte[] personalisationString = isPredictionResistant
? generateDefaultPersonalizationString(initSource.getEntropy())
: generateNonceIVPersonalizationString(initSource.getEntropy());
return new SP800SecureRandomBuilder(entropyProvider)
.buildHash(new SHA512Digest(), initSource.getEntropy(), isPredictionResistant);
EntropySource source = new HybridEntropySource(entropyDaemon, 256);
byte[] personalisationString = isPredictionResistant
? generateDefaultPersonalizationString(source.getEntropy())
: generateNonceIVPersonalizationString(source.getEntropy());
return new SP800SecureRandomBuilder(new EntropySourceProvider()
public EntropySource get(int bitsRequired)
return new HybridEntropySource(entropyDaemon, bitsRequired);
.buildHash(new SHA512Digest(), source.getEntropy(), isPredictionResistant);
// unfortunately new SecureRandom() can cause a regress and it's the only reliable way of getting access
// to the JVM's seed generator.
private static EntropySourceProvider createInitialEntropySource()
boolean hasGetInstanceStrong = AccessController.doPrivileged(new PrivilegedAction()
public Boolean run()
Class def = SecureRandom.class;
return def.getMethod("getInstanceStrong") != null;
catch (Exception e)
return false;
if (hasGetInstanceStrong)
SecureRandom strong = AccessController.doPrivileged(new PrivilegedAction()
public SecureRandom run()
return (SecureRandom)SecureRandom.class.getMethod("getInstanceStrong").invoke(null);
catch (Exception e)
return new CoreSecureRandom(findSource());
return new IncrementalEntropySourceProvider(strong, true);
return new IncrementalEntropySourceProvider(new CoreSecureRandom(findSource()), true);
private static EntropySourceProvider createCoreEntropySourceProvider()
if (Security.getProperty("securerandom.source") == null)
return createInitialEntropySource();
String source = Security.getProperty("securerandom.source");
return new URLSeededEntropySourceProvider(new URL(source));
catch (Exception e)
return createInitialEntropySource();
private static EntropySourceProvider createEntropySource()
final String sourceClass = Properties.getPropertyValue("org.bouncycastle.drbg.entropysource");
return AccessController.doPrivileged(new PrivilegedAction()
public EntropySourceProvider run()
Class clazz = ClassUtil.loadClass(DRBG.class, sourceClass);
return (EntropySourceProvider)clazz.newInstance();
catch (Exception e)
throw new IllegalStateException("entropy source " + sourceClass + " not created: " + e.getMessage(), e);
private static byte[] generateDefaultPersonalizationString(byte[] seed)
return Arrays.concatenate(Strings.toByteArray("Default"), seed,
Pack.longToBigEndian(Thread.currentThread().getId()), Pack.longToBigEndian(System.currentTimeMillis()));
private static byte[] generateNonceIVPersonalizationString(byte[] seed)
return Arrays.concatenate(Strings.toByteArray("Nonce"), seed,
Pack.longToLittleEndian(Thread.currentThread().getId()), Pack.longToLittleEndian(System.currentTimeMillis()));
private static class EntropyDaemon
implements Runnable
private final ConcurrentLinkedDeque tasks = new ConcurrentLinkedDeque();
void addTask(Runnable task)
public void run()
for (; ; )
Runnable task = tasks.pollFirst();
if (task != null)
catch (Throwable e)
// ignore
catch (InterruptedException e)
private static class CoreSecureRandom
extends SecureRandom
CoreSecureRandom(Object[] initialEntropySourceAndSpi)
super((SecureRandomSpi)initialEntropySourceAndSpi[1], (Provider)initialEntropySourceAndSpi[0]);
private static long getPause()
String pauseSetting = Properties.getPropertyValue("org.bouncycastle.drbg.gather_pause_secs");
if (pauseSetting != null)
return Long.parseLong(pauseSetting) * 1000;
catch (Exception e)
return 5000;
return 5000;
private static void sleep(long ms)
catch (InterruptedException e)
private static class URLSeededEntropySourceProvider
implements EntropySourceProvider
private final InputStream seedStream;
URLSeededEntropySourceProvider(final URL url)
this.seedStream = AccessController.doPrivileged(new PrivilegedAction()
public InputStream run()
return url.openStream();
catch (IOException e)
throw new IllegalStateException("unable to open random source");
private int privilegedRead(final byte[] data, final int off, final int len)
return AccessController.doPrivileged(new PrivilegedAction()
public Integer run()
return, off, len);
catch (IOException e)
throw new InternalError("unable to read random source");
public EntropySource get(final int bitsRequired)
return new IncrementalEntropySource()
private final int numBytes = (bitsRequired + 7) / 8;
public boolean isPredictionResistant()
return true;
public byte[] getEntropy()
return getEntropy(0);
public byte[] getEntropy(long pause)
byte[] data = new byte[numBytes];
int off = 0;
int len;
while (off != data.length && (len = privilegedRead(data, off, data.length - off)) > -1)
off += len;
if (off != data.length)
throw new InternalError("unable to fully read random source");
return data;
public int entropySize()
return bitsRequired;
private interface IncrementalEntropySource
extends EntropySource
* Pause allows for a gap between fetches. We only want this after we've initialised.
* @param pause time in milliseconds to pause in build up seed.
* @return the resulting seed
byte[] getEntropy(long pause);
private static class HybridEntropySource
implements EntropySource
private final AtomicBoolean seedAvailable = new AtomicBoolean(false);
private final AtomicInteger samples = new AtomicInteger(0);
private final SP800SecureRandom drbg;
private final SignallingEntropySource entropySource;
private final int bytesRequired;
private final byte[] additionalInput = Pack.longToBigEndian(System.currentTimeMillis());
HybridEntropySource(final EntropyDaemon entropyDaemon, final int bitsRequired)
EntropySourceProvider entropyProvider = createCoreEntropySourceProvider();
bytesRequired = (bitsRequired + 7) / 8;
// remember for the seed generator we need the correct security strength for SHA-512
entropySource = new SignallingEntropySource(entropyDaemon, seedAvailable, entropyProvider, 256);
drbg = new SP800SecureRandomBuilder(new EntropySourceProvider()
public EntropySource get(final int bitsRequired)
return entropySource;
.setPersonalizationString(Strings.toByteArray("Bouncy Castle Hybrid Entropy Source"))
.buildHMAC(new HMac(new SHA512Digest()), entropySource.getEntropy(), false); // 32 byte nonce
public boolean isPredictionResistant()
return true;
public byte[] getEntropy()
byte[] entropy = new byte[bytesRequired];
// after 20 samples we'll start to check if there is new seed material.
if (samples.getAndIncrement() > 20)
if (seedAvailable.getAndSet(false))
return entropy;
public int entropySize()
return bytesRequired * 8;
private class SignallingEntropySource
implements IncrementalEntropySource
private final EntropyDaemon entropyDaemon;
private final AtomicBoolean seedAvailable;
private final IncrementalEntropySource entropySource;
private final int byteLength;
private final AtomicReference entropy = new AtomicReference();
private final AtomicBoolean scheduled = new AtomicBoolean(false);
private final long pause;
SignallingEntropySource(EntropyDaemon entropyDaemon, AtomicBoolean seedAvailable, EntropySourceProvider baseRandom, int bitsRequired)
this.entropyDaemon = entropyDaemon;
this.seedAvailable = seedAvailable;
this.entropySource = (IncrementalEntropySource)baseRandom.get(bitsRequired);
this.byteLength = (bitsRequired + 7) / 8;
this.pause = getPause();
public boolean isPredictionResistant()
return true;
public byte[] getEntropy()
return getEntropy(0);
public byte[] getEntropy(long pause)
byte[] seed = (byte[])entropy.getAndSet(null);
if (seed == null || seed.length != byteLength)
seed = entropySource.getEntropy(pause);
return seed;
void schedule()
if (!scheduled.getAndSet(true))
entropyDaemon.addTask(new EntropyGatherer(entropySource));
public int entropySize()
return byteLength * 8;
private class EntropyGatherer
implements Runnable
private final IncrementalEntropySource baseRandom;
EntropyGatherer(IncrementalEntropySource baseRandom)
this.baseRandom = baseRandom;
public void run()
private static class IncrementalEntropySourceProvider
implements EntropySourceProvider
private final SecureRandom random;
private final boolean predictionResistant;
* Create a entropy source provider based on the passed in SecureRandom.
* @param random the SecureRandom to base EntropySource construction on.
* @param isPredictionResistant boolean indicating if the SecureRandom is based on prediction resistant entropy or not (true if it is).
public IncrementalEntropySourceProvider(SecureRandom random, boolean isPredictionResistant)
this.random = random;
this.predictionResistant = isPredictionResistant;
* Return an entropy source that will create bitsRequired bits of entropy on
* each invocation of getEntropy().
* @param bitsRequired size (in bits) of entropy to be created by the provided source.
* @return an EntropySource that generates bitsRequired bits of entropy on each call to its getEntropy() method.
public EntropySource get(final int bitsRequired)
return new IncrementalEntropySource()
final int numBytes = (bitsRequired + 7) / 8;
public boolean isPredictionResistant()
return predictionResistant;
public byte[] getEntropy()
return getEntropy(0);
public byte[] getEntropy(long pause)
byte[] seed = new byte[numBytes];
for (int i = 0; i < numBytes / 8; i++)
// we need to be mindful that we may not be the only thread/process looking for entropy
byte[] rn = random.generateSeed(8);
System.arraycopy(rn, 0, seed, i * 8, rn.length);
int extra = numBytes - ((numBytes / 8) * 8);
if (extra != 0)
byte[] rn = random.generateSeed(extra);
System.arraycopy(rn, 0, seed, seed.length - rn.length, rn.length);
return seed;
public int entropySize()
return bitsRequired;