jdk Udiff src/java.base/share/conf/security/java.security

src/java.base/share/conf/security/java.security

rev 13987 : 8051408: NIST SP 800-90A SecureRandom implementations

@@ -118,27 +118,27 @@
 
 
 #
 # Sun Provider SecureRandom seed source.
 #
-# Select the primary source of seed data for the "SHA1PRNG" and
+# Select the primary source of seed data for the "DRBG", "SHA1PRNG" and
 # "NativePRNG" SecureRandom implementations in the "Sun" provider.
 # (Other SecureRandom implementations might also use this property.)
 #
 # On Unix-like systems (for example, Solaris/Linux/MacOS), the
-# "NativePRNG" and "SHA1PRNG" implementations obtains seed data from
+# "NativePRNG", "DRBG", and "SHA1PRNG" implementations obtains seed data from
 # special device files such as file:/dev/random.
 #
 # On Windows systems, specifying the URLs "file:/dev/random" or
 # "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding
-# mechanism for SHA1PRNG.
+# mechanism for DRBG and SHA1PRNG.
 #
 # By default, an attempt is made to use the entropy gathering device
 # specified by the "securerandom.source" Security property.  If an
 # exception occurs while accessing the specified URL:
 #
-#     SHA1PRNG:
+#     DRBG and SHA1PRNG:
 #         the traditional system/thread activity algorithm will be used.
 #
 #     NativePRNG:
 #         a default value of /dev/random will be used.  If neither
 #         are available, the implementation will be disabled.

@@ -152,11 +152,11 @@
 # Specifying this System property will override the
 # "securerandom.source" Security property.
 #
 # In addition, if "file:/dev/random" or "file:/dev/urandom" is
 # specified, the "NativePRNG" implementation will be more preferred than
-# SHA1PRNG in the Sun provider.
+# DRBG and SHA1PRNG in the Sun provider.
 #
 securerandom.source=file:/dev/random
 
 #
 # A list of known strong SecureRandom implementations.

@@ -167,17 +167,70 @@
 #
 # This is a comma-separated list of algorithm and/or algorithm:provider
 # entries.
 #
 #ifdef windows
-securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,SHA1PRNG:SUN
+securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN
 #endif
 #ifndef windows
 securerandom.strongAlgorithms=NativePRNGBlocking:SUN
 #endif
 
 #
+# Sun provider DRBG configuration and default instantiation request.
+#
+# NIST SP 800-90Ar1 lists several DRBG mechanisms, each can be configured with
+# a DRBG algorithm name, and can be instantiated with a security strength,
+# prediction resistance support, etc. This property defines the configuration
+# and the default instantiation request of "DRBG" SecureRandom implemented in
+# the SUN provider. Applications can request different instantiation parameters
+# like security strength/capability/personalization strings using
+# the getInstance(...,SecureRandomParameters,...) APIs with a
+# DrbgParameters.Instantiate object, but
+# other settings such as the mechanism and DRBG algorithm names are not
+# configurable by any API.
+#
+# Please note that the SUN implementation of DRBG always supports reseeding.
+#
+# The value of this property is a slash-separated list of all configurable
+# aspects. The aspects can appear in any order but the same aspect can only
+# appear at most once. Its BNF-style definition is:
+#
+#   Value:
+#     aspect { "," aspect }
+#
+#   aspect:
+#     mech_name | algorithm_name | strength | capability | df
+#
+#   mech_name: default "Hash_DRBG"
+#     "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG"
+#
+#   algorithm_name: For Hash_DRBG and HMAC_DRBG, default to "SHA-256".
+#                   For CTR_DRBG, default to "AES-128" when using the limited
+#                   cryptographic policy files, or "AES-256" for unlimited.
+#     Any supported MessageDigest or Cipher algorithm name as described
+#     in Section 10 of SP 800-90Ar1
+#
+#   strength: default "128", or "112" if mech_name is CTR_DRBG
+#             and algorithm_name is "3 Key TDEA"
+#     "112" | "128" | "192" | "256"
+#
+#   pr: default "none"
+#     "pr_and_reseed" | "reseed_only" | "none"
+#
+#   df: default "use_df", only applicable to CTR_DRBG
+#     "use_df" | "no_df"
+#
+# Examples,
+#   drbg=Hash_DRBG,SHA-1,112,none
+#   drbg=CTR_DRBG,AES-256,256,pr_and_reseed,use_df
+#
+# The default value is an empty string, which is equivalent to
+#   drbg=Hash_DRBG,SHA-256,128,none
+drbg=
+
+#
 # Class to instantiate as the javax.security.auth.login.Configuration
 # provider.
 #
 login.configuration.provider=sun.security.provider.ConfigFile

< prev index next >