[PATCH] Add class java.security.StandardMessageDigests
Florian Weimer
fweimer at redhat.com
Tue May 6 09:45:58 UTC 2014
On 05/05/2014 04:43 PM, Xuelei Fan wrote:
>> It's 10% faster, even including the digest overhead for a single-block message.
> clone() is an optional operation for MD. This point may make this class unreliable.
I think the MessageDigest specification requires that this works. The
TLS implementation also relies on this behavior (i.e. clone() either
consistently fails or consistently succeeds).
Note that I'm not blindly calling clone(), I'm providing a fallback in
case clone() does not work.
> I think it might be a better place to make the improvement in crypto providers.
What kind of improvement are you thinking of?
> BTW! I guess in some situation or some providers, clone() might not be a lightweight operation.
Hmm. I can see that the state cannot be cloned at all (that's why
cloning is optional), but allocating a new state has to happen anyway,
no matter how the object is constructed.
>> I think the single-block hashing case is important because it is not always possible to reuse an existing digest object after calling reset().
> It means the reset() does not work. Looks like a bug to me.
What I meant is that there might be no place to store the reference to a
long-term MessageDigest object which is reused again and again, so the
best thing the code can do is to allocate a fresh object when it is needed?
Hmm, maybe we could provide a tread-local message digest that can be
used to hash byte arrays? It would address the simplest possible case
where the instantiation overhead is most visible.
--
Florian Weimer / Red Hat Product Security Team
More information about the security-dev
mailing list