RFR: 8293326: jdk/sun/security/tools/jarsigner/compatibility/SignTwice.java slow on Windows
Weijun Wang
weijun at openjdk.org
Mon Sep 5 18:55:43 UTC 2022
On Mon, 5 Sep 2022 17:25:48 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:
>> This patch enables SignTwice test to complete faster on Windows machines.
>>
>> The test starts `keytool` and `jarsigner` a number of times, passing `-J-Djava.security.egd=file:/dev/./urandom` to the started process, presumably to avoid blocking on VMs with insufficient entropy. This works fine on machines where `/dev/./urandom` is actually present. On Windows it makes the JVM use `ThreadedSeedGenerator`, which is very slow compared to the other options.
>>
>> The fix removes `java.security.egd` setting on Windows machines.
>>
>> Alternatively we could change the egd to use `file:/dev/urandom` (without the `/./` part); this also fixes the Windows problem. Is the `/./` part still needed? If I understand correctly, it was a workaround for some JDK7 bug.
>
> test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java line 1044:
>
>> 1042: } else {
>> 1043: cmd = new String[args.length + 4];
>> 1044: cmd[3] = "-J-Djava.security.egd=file:/dev/./urandom";
>
> IIRC, this is a workaround for an old issue which no longer applies after JDK-6425477. By default NativePRNG generates from /dev/urandom, only grabbing seed data from /dev/random.
>
> I believe the egd workaround can be completely removed unless there's something that asks for NativePRNGBlocking.
I remember the major problem was the auto-seeding before the first `nextBytes` is called, and it could read `/dev/random`. Not sure it's for SHA1PRNG or NativeRandom.
-------------
PR: https://git.openjdk.org/jdk/pull/10160
More information about the security-dev
mailing list