On Mon, 5 Sep 2022 17:25:48 GMT, Bradford Wetmore <[email protected]> wrote:
>> This patch enables SignTwice test to complete faster on Windows machines.
>>
>> The test starts `keytool` and `jarsigner` a number of times, passing
>> `-J-Djava.security.egd=file:/dev/./urandom` to the started process,
>> presumably to avoid blocking on VMs with insufficient entropy. This works
>> fine on machines where `/dev/./urandom` is actually present. On Windows it
>> makes the JVM use `ThreadedSeedGenerator`, which is very slow compared to
>> the other options.
>>
>> The fix removes `java.security.egd` setting on Windows machines.
>>
>> Alternatively we could change the egd to use `file:/dev/urandom` (without
>> the `/./` part); this also fixes the Windows problem. Is the `/./` part
>> still needed? If I understand correctly, it was a workaround for some JDK7
>> bug.
>
> test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java line
> 1044:
>
>> 1042: } else {
>> 1043: cmd = new String[args.length + 4];
>> 1044: cmd[3] = "-J-Djava.security.egd=file:/dev/./urandom";
>
> IIRC, this is a workaround for an old issue which no longer applies after
> JDK-6425477. By default NativePRNG generates from /dev/urandom, only
> grabbing seed data from /dev/random.
>
> I believe the egd workaround can be completely removed unless there's
> something that asks for NativePRNGBlocking.
I remember the major problem was the auto-seeding before the first `nextBytes`
is called, and it could read `/dev/random`. Not sure it's for SHA1PRNG or
NativeRandom.
-------------
PR: https://git.openjdk.org/jdk/pull/10160
