RFR: 8258588: MD5 MessageDigest in java.util.UUID should be cached

Claes Redestad redestad at openjdk.java.net
Fri Dec 18 14:57:23 UTC 2020 

On Fri, 18 Dec 2020 14:42:38 GMT, PROgrm_JARvis <github.com+7693005+JarvisCraft at openjdk.org> wrote:

>>> I've looked through [Standard Algorithms section for MessageDigest](https://docs.oracle.com/en/java/javase/15/docs/specs/security/standard-names.html#messagedigest-algorithms) and is says
>>> 
>>> > Algorithm names that _can_ be specified
>>> 
>>> And the javadoc of `MessageDigest` says:
>>> 
>>> > Every implementation of the Java platform is required to support the following standard `MessageDigest` algorithms:
>>> > 
>>> > * `SHA-1`
>>> > * `SHA-256`
>>> 
>>> So I cannot find any requirement for `MD5` to be present. Although I believe that every implementation does provide it, it may be essential to either specify it or describe the behavior for its absence in case of `UUID`'s usage.
>> 
>> MD5 and DES were removed as SE requirements in JDK 14. See https://bugs.openjdk.java.net/browse/JDK-8214483 for more information. However, there are no plans to remove the implementations from the JDK at this time.
>
>> MD5 and DES were removed as SE requirements in JDK 14. See https://bugs.openjdk.java.net/browse/JDK-8214483 for more information. However, there are no plans to remove the implementations from the JDK at this time.
> 
> In this case, should a bug report be filled to require specifying behaviour for `UUID#nameUUIDFromBytes(byte[])` in case of MD5 not being present?

A more general issue is that this patch assumes the `MessageDigest` object returned is statically shareable, which implies it being stateless and thread-safe.

This doesn't seem to be the case. See [MD5.java](https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/MD5.java) and the [DigestBase.java](https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/DigestBase.java) base class, which both have mutating buffers for doing the digest.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1821

More information about the core-libs-dev mailing list