[security-dev 00718]: Review request for 6819110

Mandy Chung Mandy.Chung at Sun.COM
Wed Mar 25 13:33:48 PDT 2009

6819110: Lazily load Sun digest provider for jar verification

Webrev at:

ManifestEntryVerifier's static initializer calls 
sun.security.jce.Providers.getSunProvider() that loads and initializes 
several security classes which are not nnecessarily needed when security 
manager is not enabled.  The fix is to call Providers.getSunProvider() 
when instantiating the MessageDigest object.

One question:
Providers.getSunProvider() method is called by 
sun.security.util.ManifestEntryVerifier and 
java.security.SecureRandom.   Two different Provider instances will be 
created if the SecureRandom is used by the application.  Is there 
performance gain (CPU time and memory) that worths caching the provider 
object for both callers?


More information about the security-dev mailing list