Discussions
Categories
- 197K All Categories
- 2.5K Data
- 546 Big Data Appliance
- 1.9K Data Science
- 450.8K Databases
- 221.9K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 552 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 556 SQLcl
- 4K SQL Developer Data Modeler
- 187.2K SQL & PL/SQL
- 21.4K SQL Developer
- 296.4K Development
- 17 Developer Projects
- 139 Programming Languages
- 293.1K Development Tools
- 110 DevOps
- 3.1K QA/Testing
- 646.1K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 159 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 19 Java Essentials
- 162 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 205 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 471 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 175 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 233 Portuguese
The staticRandom field in the BigInteger class

Hi all,
In the OpenJDK source code of the BigInteger class, there is a static variable named staticRandom which stores a SecureRandom object:
private static volatile Random staticRandom;
private static Random getSecureRandom() {
if (staticRandom == null) {
staticRandom = new java.security.SecureRandom();
}
return staticRandom;
}
We got troubles if the provider associated with this SecureRandom instance is removed (Security.removeProvider), since this static variable is not refreshed.
Is that a Java bug ?
Answers
-
user3250413 wrote:Hi all,In the OpenJDK source code of the BigInteger class, there is a static variable named staticRandom which stores a SecureRandom object:private static volatile Random staticRandom;private static Random getSecureRandom() { if (staticRandom == null) { staticRandom = new java.security.SecureRandom(); } return staticRandom;}We got troubles if the provider associated with this SecureRandom instance is removed (Security.removeProvider), since this static variable is not refreshed.Is that a Java bug ?
What 'troubles' are you talking about?
What 'provider' are you talking about?
The 'SecureRandom()' constructor you show uses a 'default random number algorithm'. There is no 'provider' to remove.
See the Java API for the constructors available.
https://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html
Also, in the code you show the 'Random' instance is a singleton so once it is created it's existence does NOT depend on the provider that created it.
Post an example demonstrating the 'troubles' you refer to.
If you want to report a possible bug do so using your MOS account.
-
The SecureRandom constructor "traverses the list of registered security Providers, starting with the most preferred Provider. A new SecureRandom object encapsulating the SecureRandomSpi implementation from the first Provider that supports the specified algorithm is returned."
In our environment, strong random numbers are generated by a Hardware Security Module (HSM) which uses a specific cryptographic provider (https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#Provider ).
If for some reason, the HSM is no longer available and the provider removed, the SecureRandom singleton does not function since it cannot reach the HSM anymore.
I think that BigInteger should allocate a new instance of SecureRandom each time. If the HSM provider is not available, there are then other providers which will supply SecureRandom service
-
In the Java 8 source code, BigInteger no longer uses the staticRandom variable