I added code recently that uses SecureRandom. There's some cost to
creating a new SecureRandom. (Scott says ~35 us on Niagara.)
Here's all the places that create a SecureRandom:
admin/cli/src/main/java/com/sun/enterprise/admin/cli/util/HttpConnectorAddress.java:
sc.init(null, tms, new SecureRandom());
admin/jmx-remote/client/src/main/java/com/sun/enterprise/admin/jmx/remote/https/HttpsUrlConnector.java:
sslContext.init(kms, tms, new SecureRandom());
common/common-util/src/main/java/com/sun/enterprise/util/uuid/UuidUtil.java:
private static SecureRandom _seeder = new SecureRandom();
common/container-common/src/main/java/com/sun/enterprise/container/common/LocalPassword.java:
SecureRandom random = new SecureRandom();
ejb/ejb-container/src/main/java/com/sun/ejb/base/sfsb/util/ScrambledKeyGenerator.java:
private SecureRandom random = new SecureRandom();
security/core/src/main/java/com/sun/enterprise/security/auth/realm/file/FileRealm.java:
SecureRandom rng=new SecureRandom();
security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/CustomSocketFactory.java:
sc.init(sslUtils.getKeyManagers(), sslUtils.getTrustManagers(), new
SecureRandom());
security/core/src/main/java/com/sun/enterprise/security/SecurityServicesUtil.java:
public static final SecureRandom secureRandom = new SecureRandom();
security/core/src/main/java/com/sun/enterprise/security/util/SSHA.java:
SecureRandom rng=new SecureRandom();
security/core/src/main/java/com/sun/enterprise/security/util/SSHA.java:
SecureRandom rng=new SecureRandom();
It looks like SecurityServicesUtil is intentionally exposing a SecureRandom
for others to use. Is that right? Should I be using it instead of creating
my own?
Which other uses of SecureRandom should be converted to use this one as well?
(And should it really be a public field? Couldn't applications get access
to it and destroy the randomness by calling setSeed?)