Forum Stats

  • 3,839,329 Users
  • 2,262,481 Discussions
  • 7,900,934 Comments

Discussions

The staticRandom field in the BigInteger class

user3250413
user3250413 Member Posts: 3

Hi all,

In the OpenJDK source code of the BigInteger class, there is a static variable named staticRandom which stores a SecureRandom object:

private static volatile Random staticRandom;

private static Random getSecureRandom() {

    if (staticRandom == null) {

        staticRandom = new java.security.SecureRandom();

    }

    return staticRandom;

}

We got troubles if the provider associated with this SecureRandom instance is removed (Security.removeProvider), since this static variable is not refreshed.

Is that a Java bug ?

Answers

  • Unknown
    edited Feb 4, 2018 5:05PM
    user3250413 wrote:Hi all,In the OpenJDK source code of the BigInteger class, there is a static variable named staticRandom which stores a SecureRandom object:private static volatile Random staticRandom;private static Random getSecureRandom() { if (staticRandom == null) { staticRandom = new java.security.SecureRandom(); } return staticRandom;}We got troubles if the provider associated with this SecureRandom instance is removed (Security.removeProvider), since this static variable is not refreshed.Is that a Java bug ?

    What 'troubles' are you talking about?

    What 'provider' are you talking about?

    The 'SecureRandom()' constructor you show uses a 'default random number algorithm'. There is no 'provider' to remove.

    See the Java API for the constructors available.

    https://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html

    Also, in the code you show the 'Random' instance is a singleton so once it is created it's existence does NOT depend on the provider that created it.

    Post an example demonstrating the 'troubles' you refer to.

    If you want to report a possible bug do so using your MOS account.

  • user3250413
    user3250413 Member Posts: 3
    edited Feb 5, 2018 6:39AM

    The SecureRandom constructor "traverses the list of registered security Providers, starting with the most preferred Provider. A new SecureRandom object encapsulating the SecureRandomSpi implementation from the first Provider that supports the specified algorithm is returned."

    In our environment, strong random numbers are generated by a Hardware Security Module (HSM) which uses a specific cryptographic provider (https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#Provider ).

    If for some reason, the HSM is no longer available and the provider removed, the SecureRandom singleton does not function since it cannot reach the HSM anymore.

    I think that BigInteger should allocate a new instance of SecureRandom each time. If the HSM provider is not available, there are then other providers which will supply SecureRandom service

  • user3250413
    user3250413 Member Posts: 3
    edited Feb 6, 2018 6:06AM

    In the Java 8 source code, BigInteger no longer uses the staticRandom variable

This discussion has been closed.