There is unnecessary resource consumption in `SecureRandom.getInstance()`.

Sean Mullan sean.mullan at
Fri Apr 28 13:02:02 UTC 2023

[This should be discussed on the security alias so I am copying 
security-dev and -bcc-ing core-libs-dev]

As Bernd noted, use of SHA1PRNG should ideally be replaced with a 
stronger secure random algorithm, so the impact of this issue is 
probably not that significant. That said, I think this is still worthy 
of fixing.

On 4/28/23 7:40 AM, Bernd wrote:
> There are two solutions I think.
> 1. Create a constructor for SecureRandom.

#1 seems easy enough. We can add a SecureRandom(SecureRandomParameters) 
to (The ctor can ignore the 
parameter and just call SecureRandom()).

I can file an issue on your behalf.

> 2. Compare using getConstructors instead of getConstrctor.


More information about the core-libs-dev mailing list