Bouncy Castle: multiple PGPSignature's identical within same timeframe (~ 1 second)

Question

While testing generation of a PGPSignature in a loop, always using the same input, I noticed I was getting identical signatures within a short timeframe.

That did rather surprise me: I had been expecting the Signature not to be reproducible.

Is this behaviour intended?

After roughly 1 second a different Signature is returned.

Bouncy Castle Packages used:
bcpg-jdk15on-168.jar
bcprov-jdk15on-168.jar

Java Version:
openJDK v14.0.2, x64

Here's a little self-contained example Proggy to highlight this:

import java.io.IOException;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.Iterator;

import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;
import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.bc.BcPGPKeyPair;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;

public class PgpSimpleSigner {

    private static final DateTimeFormatter FMT = DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss.SSS" + "SSS" + "SSS");

    public         final PGPPrivateKey     privateKey;
    public         final PGPPublicKey      publicKey;

    private PgpSimpleSigner() throws IOException, PGPException {

        final RSAKeyGenerationParameters kgp = new RSAKeyGenerationParameters(BigInteger.valueOf(0x10001), new SecureRandom(), 2048, 12);
        final RSAKeyPairGenerator        kpg = new RSAKeyPairGenerator();
                                         kpg.init(kgp);

        final PGPKeyPair  keyPair = new BcPGPKeyPair(PGPPublicKey.RSA_SIGN, kpg.generateKeyPair(), new Date());

        this.privateKey = keyPair.getPrivateKey();
        this.publicKey  = keyPair.getPublicKey();
    }

    private PGPSignature sign(final String signMeString) throws Exception {

        final int keyAlgorithm  = PublicKeyAlgorithmTags.RSA_SIGN;
        final int hashAlgorithm = PGPUtil.SHA256;

        final JcaPGPContentSignerBuilder csb = new JcaPGPContentSignerBuilder(keyAlgorithm, hashAlgorithm);
                                         csb.setProvider(new BouncyCastleProvider());

        final PGPSignatureGenerator          sGen  = new PGPSignatureGenerator(csb);
        final PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator();
        /*
         * (spGen contains NO Subpackets, in particular no SignatureCreationTime)
         */

        sGen.init(PGPSignature.CANONICAL_TEXT_DOCUMENT, this.privateKey);

        this.publicKey.getUserIDs().forEachRemaining(userID -> {
            /*
             * Our Test PublicKey has no Users associated, so this Loop is not entered!
             */
            spGen.addSignerUserID(false, userID);
            /*
             * Suspicion: the Example code for this logic in
             * org.bouncycastle.openpgp.examples.ClearSignedFileProcessor
             * is incorrect? Maybe following should be outside the loop?...
             */
            sGen .setHashedSubpackets(spGen.generate()); // never executed!
        });

        sGen.update(signMeString.getBytes());

        return sGen.generate();
        /*
         * The above logic based on Method
         * signFile(String, InputStream, OutputStream, char[], String)
         * in
         * org.bouncycastle.openpgp.examples.ClearSignedFileProcessor.
         * 
         * ...but without the complicated CR/LF & Whitespace logic
         * as we know our input String is RFC 4880 compliant.
         */
    }

    public static void main(final String[] args) throws Throwable {

        final PgpSimpleSigner pgpSimpleSigner = new PgpSimpleSigner();

        byte[] bcSigBytesPrev = {};
        long   t0             = System.nanoTime();

        while (true) {
            final long         nsSinceDelta = System.nanoTime() - t0;
            final PGPSignature bcSig        = pgpSimpleSigner.sign("Sign me, I'm RFC 4880 compliant");
            final byte[]       bcSigBytes   = bcSig.getSignature();

            if (Arrays.compare(bcSigBytesPrev,  bcSigBytes) != 0) {
                               bcSigBytesPrev = bcSigBytes;
                
                System.out.println(FMT.format(ZonedDateTime.now()) + "\t" + nsSinceDelta + "\t" + Base64.getEncoder().encodeToString(bcSigBytes));

                t0 = System.nanoTime();
            }
        }
    }
}

Answer 1

Check the source code of org.bouncycastle.bcpg.sig.SignatureCreationTime.timeToBytes() on how a date value is added to the byte array to sign:

protected static byte[] timeToBytes(
    Date    date)
{
    byte[]    data = new byte[4];
    long        t = date.getTime() / 1000;
    
    data[0] = (byte)(t >> 24);
    data[1] = (byte)(t >> 16);
    data[2] = (byte)(t >> 8);
    data[3] = (byte)t;
    
    return data;
}

As you see, the current time down to the seconds is used (date.getTime() returns milliseconds, / 1000 "removes" the milliseconds part).

It looks like this is in compliance with the RFC 4880 - 5.9. Literal Data Packet (Tag 11) section:

 - A four-octet number that indicates a date associated with the
   literal data.  Commonly, the date might be the modification date
   of a file, or the time the packet was created, or a zero that
   indicates no specific time.

So it looks like it is working as specified.

Answer 2

Per default, PGPSignatureSubpacketGenerator contains no Subpackets.

Creation Time is a Must Subpacket & if none is found in PGPSignatureSubpacketGenerator, a default entry will be created in PGPSignatureGenerator#generate() using "Now" Seconds.
(as @Progman rightly pointed out)

As I surmised in the Code of my original question, the example code in org.bouncycastle.openpgp.examples.ClearSignedFileProcessor was less-than-perfect.
This has now been fixed. See BC Issue #965

I have extended my Example Code to add a Custom Subpacket containing the Nanoseconds, which causes a different Signature to be generated every time:

import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.SecureRandom;
import java.time.Instant;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;

import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
import org.bouncycastle.bcpg.SignatureSubpacket;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;
import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.bc.BcPGPKeyPair;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;

public class PgpSimpleSigner {

    private static final DateTimeFormatter FMT          = DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss.SSS" + "SSS" + "SSS");

    private static final int               CUSTOM_100   = 100;   // (According to RFC 4880, available for use)
    private static final boolean           NON_CRITICAL = false;

    public         final PGPPrivateKey     privateKey;
    public         final PGPPublicKey      publicKey;

    private PgpSimpleSigner() throws IOException, PGPException {

        final RSAKeyGenerationParameters kgp = new RSAKeyGenerationParameters(BigInteger.valueOf(0x10001), new SecureRandom(), 2048, 12);
        final RSAKeyPairGenerator        kpg = new RSAKeyPairGenerator();
        ;                                kpg.init(kgp);

        final PGPKeyPair  keyPair = new BcPGPKeyPair(PGPPublicKey.RSA_SIGN, kpg.generateKeyPair(), new Date());

        this.privateKey = keyPair.getPrivateKey();
        this.publicKey  = keyPair.getPublicKey();
    }

    private PGPSignature sign(final String signMeString) throws Exception {

        final int keyAlgorithm  = PublicKeyAlgorithmTags.RSA_SIGN;
        final int hashAlgorithm = PGPUtil.SHA256;

        final JcaPGPContentSignerBuilder     csb = new JcaPGPContentSignerBuilder(keyAlgorithm, hashAlgorithm);
        ;                                    csb.setProvider(new BouncyCastleProvider());

        final PGPSignatureGenerator          sGen  = new PGPSignatureGenerator(csb);
        final PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator();

        setCreationTimeWithCustomNanos      (spGen);

        sGen.init(PGPSignature.CANONICAL_TEXT_DOCUMENT, this.privateKey);

        this.publicKey.getUserIDs().forEachRemaining(userID -> {
            /*
             * (our Test PublicKey has no Users associated, so this Loop is not entered)
             */
            spGen.addSignerUserID(false, userID);
        });
        sGen.setHashedSubpackets(spGen.generate());

        sGen.update(signMeString.getBytes());

        return sGen.generate();
        /*
         * The above logic based on Method
         * signFile(String, InputStream, OutputStream, char[], String)
         * in
         * org.bouncycastle.openpgp.examples.ClearSignedFileProcessor.
         * 
         * ...but without the complicated CR/LF & Whitespace logic
         * as we know our input String is RFC 4880 compliant.
         */
    }

    /**
     * Bouncy Castle defaults to use Seconds since the Epoch to set Creation Time.<br>
     * (this is done in {@link PGPSignatureGenerator#generate()}).<br>
     * <br>
     * We set the Creation Time explicitly to {@code "now"}...<br>
     * ...and use the Nanoseconds from {@code "now"} to create a Custom Subpacket.<br>
     * <br>
     * Given the elapsed time necessary to calculate a Signature on contemporary Hardware,
     * this effectively adds a Salt to the deterministic RSA Algorithm,
     * thus making the Signature unique.
     * 
     * @param spGen
     */
    private static void setCreationTimeWithCustomNanos(final PGPSignatureSubpacketGenerator spGen) {

        final Instant nowInstant    = Instant.now();
        final Date    nowTime       = Date.from(nowInstant);

        final int     nowNanos      = nowInstant.getNano();
        final byte[]  nowNanosBytes = new byte[Integer.BYTES];

        ByteBuffer.wrap(nowNanosBytes).putInt(nowNanos);

        spGen.setSignatureCreationTime(                             NON_CRITICAL,        nowTime);
        spGen.addCustomSubpacket(new SignatureSubpacket(CUSTOM_100, NON_CRITICAL, false, nowNanosBytes) {});
    }

    public static void main(final String[] args) throws Throwable {

        final PgpSimpleSigner pgpSimpleSigner = new PgpSimpleSigner();

        byte[] bcSigBytesPrev = {};
        long   t0             = System.nanoTime();

        while (true) {
            final long         nsSinceDelta = System.nanoTime() - t0;
            final PGPSignature bcSig        = pgpSimpleSigner.sign("Sign me, I'm RFC 4880 compliant");
            final byte[]       bcSigBytes   = bcSig.getSignature();

            if (Arrays.compare(bcSigBytesPrev,  bcSigBytes) != 0) {
                ;              bcSigBytesPrev = bcSigBytes;

                System.out.println(FMT.format(ZonedDateTime.now()) + "\t" + nsSinceDelta + "\t" + Base64.getEncoder().encodeToString(bcSigBytes));

                t0 = System.nanoTime();
            }
        }
    }
}