RFR: JDK-8014838: getStrongSecureRandom() should require at least one implementation
Bradford Wetmore
bradford.wetmore at oracle.com
Wed Oct 2 04:28:31 UTC 2013
During the internal CCC review, the CCC lead suggested a change to the
method name to more closely follow the existing getInstance() methods,
so I've changed the name from:
java.security.SecureRandom.getStrongSecureRandom()
to
java.security.SecureRandom.getInstanceStrong()
This particular change will be tracked via:
8025694: Rename getStrongSecureRandom based on feedback
This will collate better (i.e. javadoc/NetBeans) than getStrongInstance().
It was also pointed out that the current strong Window MSCAPI-based
implementation may not be available under the various profiles, so I've
added a SHA1PRNG:SUN fallback in case the MSCAPI is not available.
https://bugs.openjdk.java.net/browse/JDK-8014838
https://bugs.openjdk.java.net/browse/JDK-8025694
http://cr.openjdk.java.net/~wetmore/8025694/webrev.00
(contains both 8025694/8014838)
Even though we are not currently building profiles on Windows currently,
we could in the future, so the profiles team agrees this is a good
compromise.
Brad
On 9/26/2013 4:04 PM, Bradford Wetmore wrote:
> This minor suggestion came up in May from our JCK team:
>
> https://bugs.openjdk.java.net/browse/JDK-8014838
>
> http://cr.openjdk.java.net/~wetmore/8014838/webrev.00/
>
> JCK suggested all implementations should have at least one strong random
> implementation.
>
> I've also changed the error case to throw NoSuchAlgorithmException
> instead of returning null.
>
> CCC review is also underway concurrently, but I'm not expecting any issues.
>
> Brad
More information about the security-dev
mailing list