> On Jan 6, 2016, at 3:31 PM, e...@zusammenkunft.net wrote: > > Hello, > > is the Intention of the default implementation of getFullEntropy to expand a > too short array with the DF as well (which is a dangerous thing to do IMHO) > or is the conditional conditioning only to condense (aka shorten)?
Only shorten. Should check. > In that case you should maybe add an assert and make the if compare against > bigger length only? (On the other hand I wonder why not simly discarding the > bytes would be fine, too. I dont see an implementation providing excessive > bytes anyway. Discard extra bytes? At least the current code is an approved conditioning function. > > Why not have a int fillEntropy (byte [] out, boolean partial (, int pos, int > len)) methods instead? (This also avoids the need to exlain "full" as well as > "get". So if partial is true, the method may return a value smaller than len? Is this really useful? Should the caller call it again and again until enough bytes are available? > > When partial is false the method is guranteed to throw if not enough entropy > is available and by not creating arrays it cannot create exceeding bytes. > > The default impl for the pos/len is to call fillEntropy(out, partial, 0, > out.length). It might not be needed however. These methods will prevent unnecessary System.arraycopy(). Will consider. Thanks Max > > Bernd > -- > http://bernd.eckenfels.net > > -----Original Message----- > From: Wang Weijun <weijun.w...@oracle.com> > To: Sean Mullan <sean.mul...@oracle.com> > Cc: OpenJDK Dev list <security-dev@openjdk.java.net> > Sent: Mi., 06 Jan. 2016 6:19 > Subject: Re: Design and impl review: JEP 273: DRBG-Based SecureRandom > Implementations > > >> On Jan 6, 2016, at 12:01 AM, Sean Mullan <sean.mul...@oracle.com> wrote: >> >> If you think getFullEntropy is sufficient, then let's just keep the one >> method. > > I thought about this more and we can actually do > > /** > * An interface of a source of entropy input. > * <p> > * This interface has 2 methods returning byte arrays containing entropy. > * The result of {@link #getFullEntropy} contains full entropy and that of > * {@link #getEntropy} contains the request amount of entropy but might not > * be full. The default implementation of the methods inside this interface > * are dependent on each other. An implementation must implement at least > * one of them to be useful. > * > * @since 1.9 > */ > public interface EntropyInput { > /** > * Fills a byte array with full entropy. > * <p> > * This method might block and/or fail. > * > * @implSpec The default implementation calls {@link #getEntropy} > * to return a byte array which might not have full entropy, and then > * calls the hashdf conditioning function defined in NIST SP 800-90Ar1 > * 10.3.1 to condense it into an array with full entropy. > * > * @param entropy the byte array with filled entropy. > * @throws EntropyNotAvailableException if not enough entropy is available. > */ > default void getFullEntropy(byte[] entropy) { > byte[] raw = getEntropy(entropy.length); > if (raw.length != entropy.length) { > try { > MessageDigest md = MessageDigest.getInstance("SHA-256", "SUN"); > raw = HashDrbg.hashDf(md, md.getDigestLength(), > entropy.length, raw); > } catch (Exception e) { > throw new InternalError(e); > } > } > System.arraycopy(raw, 0, entropy, 0, raw.length); > } > > /** > * Returns a byte array with at least length*8 bits of entropy. > * <p> > * This method might block and/or fail. > * > * @implSpec The default implementation calls {@link #getFullEntropy} > * to return a byte array which has full entropy. > * > * @param length the minimum size of entropy requested in bytes > * @return a byte array containing entropy > * @throws EntropyNotAvailableException if not enough entropy is available. > */ > default byte[] getEntropy(int length) { > byte[] result = new byte[length]; > getFullEntropy(result); > return result; > } > }
