JDK-8246613 : Choose the default SecureRandom algo based on registration ordering
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,11,13,15
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2020-06-04
  • Updated: 2022-06-27
  • Resolved: 2020-06-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 15 JDK 16 JDK 8
11.0.8-oracleFixed 13.0.4Fixed 14.0.2Fixed 15 b28Fixed 16Fixed 8u261Fixed
Related Reports
Relates :  
JDK-8248885 - Unexpected NoSuchAlgorithmException when using secure random impl from Entrust provider
Relates :  
JDK-8248505 - Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
Relates :  
JDK-7092821 - java.security.Provider.getService() is synchronized and became scalability bottleneck
Relates :  
JDK-8246383 - NullPointerException in JceSecurity.getVerificationResult when using Entrust provider
Relates :  
JDK-8228613 - java.security.Provider#getServices order is no longer deterministic
Description
Before the perf enhancement of JDK-7092821, the ordering of provider registration is maintained in a separate collection and consulted when constructing default SecureRandom objects when algorithm isn't supplied.

As part of JDK-7092821, this separate collection is cleaned up as the parent stores the same set of values. The ordering isn't documented anywhere and is not considered part of specification. JDK-8228613 is filed and fixed so that same default SecureRandom algorithm is picked when using SUN provider.

As it turns out, quite some 3rd party providers are affected by this default SecureRandom change as a different default algorithm is chosen when they are the most preferred providers, e.g. JDK-8246383. Thus, the default SecureRandom algo should remain the same.

However, for long term, it'd be nice to have an official mechanism for providers to indicate which one is the default instead of relying on the ordering which is fragile.
Comments
Changeset: 0b8f18be Author: Valerie Peng <valeriep@openjdk.org> Date: 2020-06-12 02:34:44 +0000 URL: https://git.openjdk.java.net/lanai/commit/0b8f18be
02-07-2020
Changeset: 0b8f18be Author: Valerie Peng <valeriep@openjdk.org> Date: 2020-06-12 02:34:44 +0000 URL: https://git.openjdk.java.net/amber/commit/0b8f18be
02-07-2020
Fix request (13u): I would like to have this fix in 13.0.4 for parity with 11.0.8. The original change applies cleanly.
18-06-2020
jdk11 backport request I would like to have the patch in openjdk11 as well, for better parity with 11.0.8_oracle. The patch applies cleanly.
17-06-2020
URL: https://hg.openjdk.java.net/jdk/jdk15/rev/6eeaa40131ff User: valeriep Date: 2020-06-12 02:35:10 +0000
12-06-2020
java.security.Provider class needs to keep track of the 1st registered SecureRandom algorithm.
04-06-2020