There is unnecessary resource consumption in `SecureRandom.getInstance()`.
Sean Mullan
sean.mullan at oracle.com
Fri Apr 28 13:02:02 UTC 2023
[This should be discussed on the security alias so I am copying
security-dev and -bcc-ing core-libs-dev]
As Bernd noted, use of SHA1PRNG should ideally be replaced with a
stronger secure random algorithm, so the impact of this issue is
probably not that significant. That said, I think this is still worthy
of fixing.
On 4/28/23 7:40 AM, Bernd wrote:
> There are two solutions I think.
>
> 1. Create a constructor for SecureRandom.
#1 seems easy enough. We can add a SecureRandom(SecureRandomParameters)
to sun.security.provider.SecureRandom. (The ctor can ignore the
parameter and just call SecureRandom()).
I can file an issue on your behalf.
> 2. Compare using getConstructors instead of getConstrctor.
--Sean
More information about the security-dev
mailing list