[16] RFR JDK-8246383: NullPointerException in JceSecurity.getVerificationResult when using Entrust provider

Sean Mullan sean.mullan at oracle.com
Wed Aug 19 12:47:31 UTC 2020


In the bug report, the following fix was suggested:

"The fix to the issue should be simple, just move the initialization of 
the verificationResults Map BEFORE the SecureRandom initialization in 
JceSecurity.java"

Does that not work for some reason?

--Sean

On 8/19/20 1:13 AM, Xuelei Fan wrote:
> On 8/18/2020 2:43 PM, Valerie Peng wrote:
>>
>> Using a shared instance is surely faster. However, the API specified 
>> that the most preferred SecureRandom impl will be used. To ensure this 
>> for all scenarios, creating default SecureRandom obj will provide 
>> correct result but shared instance may not.
> I understand your point.  It might not break the spec if a shared 
> instance is used.  It depends on the understanding of "most preferred 
> SecureRandom impl" in the context.
> 
> 
>> Apps can call other init functions which takes SecureRandom objects to 
>> avoid this default SecureRandom obj creation if needed.
>>
> Yes, it's an alternative solution.  If an application used the default 
> SecureRandom, it would be nice if there is no performance regression.
> 
> The SecureRandom initialization may be not cheap in some circumstances. 
> As this bug did not complain about the use of shared instance, it may be 
> fine if we want to avoid the performance impact if the impact exists.
> 
> Just for your consideration.
> 
> Xuelei
> 
>> Valerie
>>
>> On 8/18/2020 2:10 PM, Xuelei Fan wrote:
>>> Is there any performance impact?
>>>
>>> Xuelei
>>>
>>> On 8/18/2020 12:51 PM, Valerie Peng wrote:
>>>>
>>>> Anyone has cycles to review this somewhat trivial changes? 
>>>> JceSecurity has this shared SecureRandom instance which may lead to 
>>>> NPE when certain 3rd party JCE provider is set as most preferred. 
>>>> Removing this shared instance and change to create default 
>>>> SecureRandom obj when needed.
>>>>
>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8246383
>>>>
>>>> Webrev: http://cr.openjdk.java.net/~valeriep/8246383/webrev.00/
>>>>
>>>> Thanks,
>>>> Valerie


More information about the security-dev mailing list