Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7142339

PKCS7.java is needlessly creating SHA1PRNG SecureRandom instances when timestamping is not done

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 8
    • Fix Version/s: 8
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b27
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Not verified

      Backports

        Description

        PKCS7.java has a static initializer that creates a SHA1PRNG, which is only used for generating timestamp nonces. This is not even used during basic JDK startup, this class is getting pulled in during the signed Jar Verification of providers like sunpkcs11, etc. I think it would be better to delay this selection until when it's actually needed. This is today's code.

            static {
                SecureRandom tmp = null;
                try {
                    tmp = SecureRandom.getInstance("SHA1PRNG");
                } catch (NoSuchAlgorithmException e) {
                    // should not happen
                }
                RANDOM = tmp;
            }

            private static byte[] generatorTimestampToken(...) {
            ...deleted...
            if (RANDOM != null) {
                nonce = new BigInteger(64, RANDOM);
            }

          Activity

          Hide
          vinnie Vincent Ryan added a comment -
          BT2:EVALUATION

          Use lazy initialization to avoid the overhead of creating a secure random number generator for code that never uses signature timestamping.
          Show
          vinnie Vincent Ryan added a comment - BT2:EVALUATION Use lazy initialization to avoid the overhead of creating a secure random number generator for code that never uses signature timestamping.
          Hide
          nisriniv Nithya Srinivasan (Inactive) added a comment -
          written to vincent for steps to verify this bug, changeset for fix
          Show
          nisriniv Nithya Srinivasan (Inactive) added a comment - written to vincent for steps to verify this bug, changeset for fix
          Hide
          wetmore Bradford Wetmore added a comment -
          This will be very difficult to test, given that externally there is no difference (note the noreg-hard label). You could potentially try to see if the Holder class exists.
          Show
          wetmore Bradford Wetmore added a comment - This will be very difficult to test, given that externally there is no difference (note the noreg-hard label). You could potentially try to see if the Holder class exists.

            People

            • Assignee:
              vinnie Vincent Ryan
              Reporter:
              wetmore Bradford Wetmore
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: