Code review request: 7142339: is needlessly creating SHA1PRNG SecureRandom instances when timestamping is not done

Chris Hegarty chris.hegarty at
Wed Feb 8 02:47:59 PST 2012

On 08/02/2012 09:35, Xuelei Fan wrote:
> Looks fine to me.
> Interesting fix that making use of the class loading priorities.

The 'Initialization on Demand Holder idiom' is used in other places in 
the platform. I think it suits well here, if creating a SecureRandom at 
this point is expensive. Especially if it may not be needed.

Not directly related but "// should not happen". Should this throw an 
Error? I've seen this in other places too, certainly can be handled 
separately and not a blocker for this particular fix.


> Xuelei
> On 2/8/2012 5:18 PM, Vincent Ryan wrote:
>> Please review the following change:
>> for
>> It employs lazy initialization to avoid the overhead of creating a secure
>> random number generator in code that never uses signature timestamping.
>> Thanks.

More information about the security-dev mailing list