There is unnecessary resource consumption in `SecureRandom.getInstance()`.
Sean Mullan
sean.mullan at oracle.com
Fri Apr 28 13:09:45 UTC 2023
Original post is pasted below.
On 4/28/23 9:02 AM, Sean Mullan wrote:
> [This should be discussed on the security alias so I am copying
> security-dev and -bcc-ing core-libs-dev]
>
> As Bernd noted, use of SHA1PRNG should ideally be replaced with a
> stronger secure random algorithm, so the impact of this issue is
> probably not that significant. That said, I think this is still worthy
> of fixing.
>
> On 4/28/23 7:40 AM, Bernd wrote:
>> There are two solutions I think.
>>
>> 1. Create a constructor for SecureRandom.
>
> #1 seems easy enough. We can add a SecureRandom(SecureRandomParameters)
> to sun.security.provider.SecureRandom. (The ctor can ignore the
> parameter and just call SecureRandom()).
>
> I can file an issue on your behalf.
>
>> 2. Compare using getConstructors instead of getConstrctor.
>
> --Sean
-------------- next part --------------
An embedded message was scrubbed...
From: =?UTF-8?B?6rWs7YOc7KeE?= <koo.taejin at gmail.com>
Subject: There is unnecessary resource consumption in `SecureRandom.getInstance()`.
Date: Fri, 28 Apr 2023 15:04:37 +0900
Size: 26461
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230428/d0b8ca69/ThereisunnecessaryresourceconsumptioninSecureRandom.getInstance..eml>
More information about the security-dev
mailing list