--- old/src/java.base/share/conf/security/java.security 2016-04-05 10:16:54.000000000 +0800 +++ new/src/java.base/share/conf/security/java.security 2016-04-05 10:16:54.000000000 +0800 @@ -120,23 +120,23 @@ # # Sun Provider SecureRandom seed source. # -# Select the primary source of seed data for the "SHA1PRNG" and +# Select the primary source of seed data for the "DRBG", "SHA1PRNG" and # "NativePRNG" SecureRandom implementations in the "Sun" provider. # (Other SecureRandom implementations might also use this property.) # # On Unix-like systems (for example, Solaris/Linux/MacOS), the -# "NativePRNG" and "SHA1PRNG" implementations obtains seed data from +# "NativePRNG", "DRBG", and "SHA1PRNG" implementations obtains seed data from # special device files such as file:/dev/random. # # On Windows systems, specifying the URLs "file:/dev/random" or # "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding -# mechanism for SHA1PRNG. +# mechanism for DRBG and SHA1PRNG. # # By default, an attempt is made to use the entropy gathering device # specified by the "securerandom.source" Security property. If an # exception occurs while accessing the specified URL: # -# SHA1PRNG: +# DRBG and SHA1PRNG: # the traditional system/thread activity algorithm will be used. # # NativePRNG: @@ -154,7 +154,7 @@ # # In addition, if "file:/dev/random" or "file:/dev/urandom" is # specified, the "NativePRNG" implementation will be more preferred than -# SHA1PRNG in the Sun provider. +# DRBG and SHA1PRNG in the Sun provider. # securerandom.source=file:/dev/random @@ -169,13 +169,66 @@ # entries. # #ifdef windows -securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,SHA1PRNG:SUN +securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN #endif #ifndef windows securerandom.strongAlgorithms=NativePRNGBlocking:SUN #endif # +# Sun provider DRBG configuration and default instantiation request. +# +# NIST SP 800-90Ar1 lists several DRBG mechanisms, each can be configured with +# a DRBG algorithm name, and can be instantiated with a security strength, +# prediction resistance support, etc. This property defines the configuration +# and the default instantiation request of "DRBG" SecureRandom implemented in +# the SUN provider. Applications can request different instantiation parameters +# like security strength/capability/personalization strings using +# the getInstance(...,SecureRandomParameters,...) APIs with a +# DrbgParameters.Instantiate object, but +# other settings such as the mechanism and DRBG algorithm names are not +# configurable by any API. +# +# Please note that the SUN implementation of DRBG always supports reseeding. +# +# The value of this property is a slash-separated list of all configurable +# aspects. The aspects can appear in any order but the same aspect can only +# appear at most once. Its BNF-style definition is: +# +# Value: +# aspect { "," aspect } +# +# aspect: +# mech_name | algorithm_name | strength | capability | df +# +# mech_name: default "Hash_DRBG" +# "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG" +# +# algorithm_name: For Hash_DRBG and HMAC_DRBG, default to "SHA-256". +# For CTR_DRBG, default to "AES-128" when using the limited +# cryptographic policy files, or "AES-256" for unlimited. +# Any supported MessageDigest or Cipher algorithm name as described +# in Section 10 of SP 800-90Ar1 +# +# strength: default "128", or "112" if mech_name is CTR_DRBG +# and algorithm_name is "3 Key TDEA" +# "112" | "128" | "192" | "256" +# +# pr: default "none" +# "pr_and_reseed" | "reseed_only" | "none" +# +# df: default "use_df", only applicable to CTR_DRBG +# "use_df" | "no_df" +# +# Examples, +# drbg=Hash_DRBG,SHA-1,112,none +# drbg=CTR_DRBG,AES-256,256,pr_and_reseed,use_df +# +# The default value is an empty string, which is equivalent to +# drbg=Hash_DRBG,SHA-256,128,none +drbg= + +# # Class to instantiate as the javax.security.auth.login.Configuration # provider. #