RFR 8051408: JEP 273: DRBG-Based SecureRandom Implementations

Xuelei Fan xuelei.fan at oracle.com
Tue Apr 19 13:09:57 UTC 2016


On 4/15/2016 9:
> http://cr.openjdk.java.net/~weijun/8051408/webrev.10/

Please update copyright dates.

src/java.base/share/classes/java/security/Provider.java
-------------------------------------------------------
145-151:  Looks like the comment are not correct.  There are
getInstance(alg,params) since JDK 1.4 (See CertStore)

156-157:  Fallback change the behavior significantly.  Construct with or
without parameter can be very differently.  For example, LDAP cert store
get requested, but the CertStore.getInstane(String,
LDAPCertStoreParameters) may not return an LDAP cert store.  Can you
make more comment why the fallback is OK?

src/java.base/share/classes/java/security/SecureRandom.java
-----------------------------------------------------------
 456    SecureRandomSpi spi = (SecureRandomSpi) instance.impl;
 457    SecureRandom r = new SecureRandom(spi, instance.provider,
algorithm);
 458    return r;

456, there is a whitespace of the casting.

The compiler may optimize the code, but I may use the old style as line
401-402.

Similar comment for 507-510, 553-556.

 477 -       secureRandomSpi.engineNextBytes(bytes);
 667 +       secureRandomSpi.engineNextBytes(
 668 +               Objects.requireNonNull(bytes));
Some provider may tolerant null bytes input (for example SunPKCS11).
Please consider this update more for compatibility.


src/java.base/share/classes/java/security/SecureRandomSpi.java
--------------------------------------------------------------
 124         throw new UnsupportedOperationException("not supported");
 156         throw new UnsupportedOperationException("not supported");

I would like to use no-parameter exception, or more specific message.

 174     @Override
 175     public String toString() {
 176         return getClass().getSimpleName();
 177     }
What's the usage of this new toString() method?


Review the DRBG impl later.

Thanks,
Xuelei





More information about the security-dev mailing list